efficienthierarchicalauthenticationprotocolfor...

Research ArticleEfficient Hierarchical Authentication Protocol forMultiserver Architecture

Jiangheng Kou Mingxing He Ling Xiong and Zeqiong Lv

School of Computer and Software Engineering Xihua University Chengdu Sichuan 610039 China

Correspondence should be addressed to Mingxing He he_mingxing64aliyuncom

Received 23 August 2019 Revised 14 November 2019 Accepted 22 January 2020 Published 23 March 2020

Academic Editor Jose Marıa de Fuentes

Copyright copy 2020 JianghengKou et alis is an open access article distributed under the Creative CommonsAttribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

e multiserver architecture authentication (MSAA) protocol plays a significant role in achieving secure communicationsbetween devices In recent years researchers proposed many new MSAA protocols to gain more functionality and securityHowever in the existing studies registered users can access to all registered service providers in the systemwithout any limitationTo ensure that the system can restrict users that are at different levels and can access to different levels of service providers wepropose a new lightweight hierarchical authentication protocol for multiserver architecture using a Merkle tree to verify userrsquosauthentication right e proposed protocol has hierarchical authentication functionality high security and reasonable com-putation and communication costs Moreover the security analysis demonstrates that the proposed protocol satisfies the securityrequirements in practical applications and the proposed protocol is provably secure in the general security model

1 Introduction

Rapid advances in wireless communication technologiesbring convenience to our lives With an increasing numberof users and services the single-server architecture au-thentication protocols can no longer meet peoplersquos variousrequirements [1] Multiserver architecture authentication(MSAA) protocols have emerged and been widely used inthe Internet of things wireless sensor networks smart gridcloud computing and mobile payment Because MSAAprotocols have better properties than single-server archi-tecture authentication protocols [2 3] it becomes a hotspot in current research

However due to the openness of the multiserver envi-ronment an adversary can easily control communicationchannels and carries out many types of attacks such asintercept modify replay and delay messages betweenmultiple parties For defending these attacks researchersproposed many authentication protocols for the multi-server architecture that are using cryptographic methodsto secure communication between different parties Newprotocols also have lower computation and communica-tion costs than the previous protocols Currently MSAAprotocols can be divided into two types by whether it involves

the registration center (RC) at the authentication phase efirst type is MSAA protocols with the RC involving at theauthentication phase (MSAA1) [1 2 4ndash11] and the secondtype is MSAA protocols without RC involving at the au-thentication phase (MSAA2) [12ndash23] In MSAA1 proto-colsRC verifies every mutual authentication process whichmakes it a bottleneck in MSAA1 protocols e communi-cation cost in MSAA1 protocols is significantly increasedcompared to MSAA2 protocols To address these draw-backs researchers proposed many MSAA2 protocols whichhave more efficiency and security than the existing MSAA1protocols [14]

Currently hierarchical authentication functionality ismissing in the existing MSAA2 protocols When a userregistered at RC heshe can authenticate with all registeredservice providers [24] and access to their services Howeverthere are many different users and service providers in thissystem and the userrsquos level is different from each otherand low-level users should not successfully authenticatewith high-level service providers and access to their servicesBesides there should be some high-level service providersonly providing service for some particular users such as VIPusers In general the MSAA protocols with the hierarchicalauthentication functionality will have flexibility in managing

HindawiSecurity and Communication NetworksVolume 2020 Article ID 2523834 14 pageshttpsdoiorg10115520202523834

user authentication rights and access capabilities e hi-erarchical authentication functionality has been achievedin the MSAA1 protocol [2 4] In the MSAA1 protocol anRC is required at the authentication phase erefore RCcan verify the userrsquos authentication rights to determinewhether heshe can access to service providers that are at aparticular level However MSAA1 protocols have severaldrawbacks such as unreasonable communication cost thatwe showed earlier making the whole system inefficientSuppose we apply the existing MSAA2 protocols to theabove environment there should be multiple RCs to manageusers and service providers at different levels Users andservice providers need to store various certificates fromdifferent RCs e missing of hierarchical authenticationfunctionality in the existing MSAA2 protocols motivates usto design a new lightweight hierarchical authenticationprotocol for multiserver architecture

e proposed protocol uses a self-constructed Merkletree to achieve hierarchical authentication functionality Inthe proposed protocol a session key is established betweenservice providers and users without involving RC this sig-nificantly reduces communication cost and makes the au-thentication process faster e proposed protocol can meetthe security requirements of the multiserver architecture andis provably secure in general security model

e remainder of this paper is organized as followsSection 2 discusses the related work Section 3 describespreliminaries In Section 4 we show the details of theproposed protocol Section 5 gives out the formal securityproof of the proposed protocol Section 6 presents a com-parison of the proposed protocol with other related protocolson security computation and communication costs Section7 concludes the paper

2 Related Work

Li et al [1] proposed a new multiserver architecture au-thentication (MSAA) protocol for cloud computing basedon the identity-based model Shao and Chin [4] proposedan authentication protocol for multiserver architecture butfailed to resist the server spoofing and the impersonationattacks He and Wang [5] constructed the first genuinelythree-factor authentication protocol for the multiserverarchitecture but their protocol is vulnerable to the knownsession-specific temporary information attack and imper-sonation attack Odelu et al [6] proposed an improvedprotocol to solve the security drawbacks in [5] Xie et al [7]proposed a two-factor authentication protocol HoweverXiersquos protocol cannot resist the lost smart card attack and theoffline dictionary guessing attack To address the drawbacksChandrakar and Om [8] proposed a new security-enhancedthree-factor protocol Feng et al [9] proposed an enhancedbiometrics-based authentication protocol that can provideuser anonymity Amin et al [10] proposed a lightweightauthentication protocol that has lower computational andcommunication costs Cui et al [11] proposed an efficientprotocol that only uses nonce exclusive-OR operation andone-way hash function their protocol greatly reduces thecomputation cost However in this kind of protocol they all

need the help of an online registration center to achieve mutualauthentication which increases the communication cost

In order to solve the drawbacks in the first type protocolChoi et al [12] proposed the first MSAA protocol withoutthe online registration center Tseng et al [13] proposed alist-free ID-based authentication protocol using bilinearpairings for the multiserver architecture However Tsenget al [13] cannot provide credentials privacy and untrace-ability for users Recently Odelu et al [14] and He et al [15]proposed new protocols that reduce the computation andcommunication costs Irshad et al [16] found protocol in[17] cannot achieve desired security goals erefore theyproposed an improved multiserver authentication protocolfor distributed mobile cloud computing services AfterwardXiong et al [18] found protocol in [16] has unreasonablecomputation cost so they proposed an enhanced protocolfor distributed mobile cloud At the same time Xiong et al[19] proposed a new lightweight anonymous authenticationprotocol to reduce computation and communication costsBarman et al [25] used fuzzy commitment approach tosecure the information stored on personal device Kumariet al [20] proposed a concept of the fuzzy extractor toprovide the proper matching of biometric patterns Xu et al[21] proposed a new protocol that provides untraceabilityJiang et al [22] performed a security analysis to the protocolin [17] pointing out that it is vulnerable to the imper-sonation attack Chatterjee et al [23] proposed a biometric-based protocol using the chaotic map and enhanced thesecurity for multiserver architecture We summarizetechniques advantages and disadvantages that the existingprotocols used in Table 1

3 Preliminaries

In this section we introduce preliminaries of the proposedprotocol

Let G1 and G2 be an additive cyclic group and a mul-tiplicative cyclic group both of them have a large primeorder q Let 1113954e G1 times G1⟶ G2 denote a bilinear mapSuppose P is a generator of G1 g is a generator of G2 Abilinear map 1113954e has the following properties

(i) Bilinearity for all P Q isin G1 and for all a b isin Zlowastq 1113954e(aP bQ) 1113954e(P Q)ab

(ii) Computability there exists an algorithm that cansuccessfully compute 1113954e(P Q) for all P Q isin G1

(iii) Nondegeneracy there exists P Q isin G1 such that1113954e(P Q)ne 1 where 1 is the identity element of G2

We list the hard problems that we used in the proposedprotocol as follows

(i) Discrete logarithm (DL) problem given an elementx isin G2 it is hard to compute a isin Zlowastq such thatx ga

(ii) Computational DiffiendashHellman (CDH) problemgiven two elements ga gb isin G2 it is hard to com-pute gamiddotb isin G2 where a and b are unknown andrandomly chosen from Zlowastq

2 Security and Communication Networks

(iii) Modified Bilinear Inverse DiffiendashHellman withk value (k-mBIDH) problem [12] given k ele-ments α1 α2 αk1113864 1113865(αi isin Zlowastq ) and k + 2 elementsτ middot P η middot P (1(τ + α1)) middot P (1(τ + α2)) middot P 1113864 (1

(τ + αk)) middot P each of them is in G1 it is hard tocompute 1113954e(P P)η(τ+α) where α notin α1 α2 αk1113864 1113865

and τ and η are two unknown elements in Zlowastq

A security system parameter generator used in theproposed protocol is introduced below

Gen(middot) the system parameter generator takes a securityparameter n and outputs system parameters a bilinear mapan elliptic curve a multiplicative group etc Intuitively thesystem parameters will be publicly known

e notations used in the proposed protocol are listed inTable 2

4 The Proposed Protocol

41 RC Initialization Phase Registration center runs thegeneration function Gen(1n) which takes a security pa-rameter n isin Z+ and outputs parameters as follows

(1) RC chooses two bilinear map groups G1 and G2 witha prime order q the generator P isin G1 and g

1113954e(P P) isin G2 where 1113954e G1 times G1⟶ G2 is a bilinearmap

(2) RC chooses cryptographic hash functions H1

0 1 lowast ⟶ Zlowastq H2 G2⟶ Zlowastq H3 0 1 lowast ⟶ G1H4 0 1 lowast ⟶ 0 1 n

(3) RC chooses a random number s⟵R Zlowastq as the masterkey computes the corresponding public keyPpub sP isin G1 and constructs an authenticationright tree T as Figure 1 e detail of the tree willbe described in Section 45 Finally RC publishesG1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967

42 User Registration Phase If a user Ui wants to regis-ter with the registration center RC the followingsteps will be executed e main steps are provided inTable 3

(1) Ui sends hisher identity IDUito RC via a secure

channel

Table 1 Related work summaries

Protocol Technique Advantage Disadvantage[1] Identity-based Lightweight and efficient Cannot provide user anonymity

[4] Identity-based Provides user anonymity resists server spoofingattack and impersonation attack etc

Cannot resist server spoofing attack andimpersonation attacks

[5] Biometrics-based First truly three-factor authenticated scheme Cannot resist known session-specifictemporary attack and the impersonation attack

[6] Biometrics-based Provides secure authentication and resists passiveand active attacks

Needs registration center online forauthentication

[7] Identity-based Security enhanced and supports smart card revocationand password update without centralized storage

Cannot resist the lost smart card attack andthe offline dictionary guessing attack

[8] Biometrics-based Efficient in terms of computation cost communicationcost and resists smart card storage cost High maintenance cost

[9] Biometrics-based Incurs low overhead suitable for deployment atmobile devices


[10] Two-factor-based Security enhanced lightweight and efficient Needs registration center online forauthentication

[11] Identity-based Resists the server spoofing attack Needs registration center onlinefor authentication

[12] Identity-based Does not need registration center onlinefor authentication Cannot provide hierarchical authentication

[13] Identity-based Provides blackwhite list-free and simplerevocation mechanism

Cannot provide credentials privacy anduntraceability

[14] Identity-based Provides SK-security and strong credentialsrsquo privacy Cannot provide hierarchical authentication

[15] Identity-based Uses the self-certified public key cryptography andhas lower computation and communication costs Cannot provide hierarchical authentication

[16] Two-factor-based Resists server spoofing attack desynchronization attackand denial-of-service attack Cannot provide hierarchical authentication

[17] Two-factor-basedReduces authentication processing time required by

communication and computation between cloud serviceproviders and traditional trusted third-party service

Cannot resist service provider impersonationattack and has no user revocation facility

[18] Biometrics-based Provides three-factor security user revocationand reregistration Cannot provide hierarchical authentication

[19] Biometrics-based User anonymity perfect forward secrecy and resistanceto desynchronization attack Cannot provide hierarchical authentication

[21] Two-factor-based Provides user untraceability and perfect forward security Cannot provide hierarchical authentication[23] Biometric-based Uses chaotic map to improve efficiency Cannot provide hierarchical authentication

Security and Communication Networks 3

(2) RC selects an authentication parameter KRi isin Tand computes the Uirsquos private key dUi

(1(s +

H1(IDUieKRi))) middot P where e is the expire date of

the private key andT is an authentication right treeRC chooses a parameter ai isin T and sends dUi

ai1113966 1113967 toUi via a secure channel

(3) Ui computes (σi θi)⟵f(bi) using the fuzzy-ex-tractor generation procedure f(middot) [26] where σi is abiometric key θi is a public reproduction parameterand bi is hisher personal biometrics Ui computesA dUi

oplusH3(pwσ i) and uses the widely imple-mented fuzzy-verifier technique [27 28] to computeB H4((H4(IDUi

)H4(pwσ i))mod n0) where pwis hisher password and n0 is the integer that definesin [27] Finally Ui stores ai θi A B e f(middot)1113864

fminus 1(middot) t H1 H2 H3 H4 on its mobile devicewhere t is the threshold in fuzzy extractor f(middot) is theprobabilistic generation procedure for outputtingσi and θi fminus 1(middot) is the deterministic reproductionprocedure that can recover σi and θi from a newpersonal biometrics input

43 Service Provider Registration Phase If a service providerSj wants to register with the RC the following steps will beexecuted e main steps are provided in Table 4

(1) Sj sends hisher identity IDSjto RC via a secure

channel(2) RC computes the private key dSj

(1(s +

H1(IDSj))) middot P for Sj and sends dSj

1113954T1113882 1113883 to him via a

secure channel where 1113954T is an authentication righttree for service provider We will describe the detailof 1113954T in Section 45

(3) Finally Sj saves dSj 1113954T1113882 1113883

44 User and Service Provider Authentication Phase In thispart we show the mutual authentication phase between auser and a service provider without involving RC e mainsteps are provided in Table 5

(1) First Ui inputs hisher biometrics bi identity IDUi

and password pw into hisher mobile deviceMobile device computes σi fminus 1(θi bi) and Blowast

H4((H4(IDUi)H4(pwσi))mod n0) and verifies the

validity of inputted biometrics and password bycomputing Blowast

B If it holds mobile device retrieves

Uirsquos private key by computing dUi AoplusH3(pwσi)

and temporarily saves IDUi en Ui selects a tem-

porary session secret r1 calculates r1 H1(r1dUi)

and computes g1 gr1 C r1 middot (H1(IDSj)P + Ppub)

by using the identity of Sj Next Ui

computesD H1(IDUieIDSj

g1) E (r1 + D)middot

dUi and F (aiIDUi

eIDSj)oplusH2(gr1) Finally Ui

sends the login message C E F to Sj(2) After receiving C E F Sj checks whether IDUi

is inIDRL if IDUi

is not in IDRL Sj retrieves g1 usinghisher private key dSj

as g1 gr1 1113954e(C dSj) Sj re-

trieves ai D IDUi e IDSj

by computingFoplusH2(g1) Sj

computes KRi H4(KRi+1Li) where Li

H4(ai 1113954ai) and verifies 1113954e(E H1(IDUieKRi)middot

P + Ppub)

g1 middot gD If both are equal Ui is allowed toauthenticate with Sjen Sj selects a temporary sessionsecret 1113954r2 then heshe calculates r2 H1( 1113954r2dSj

) andcomputes g2 gr2 and session key is set assk H2(g

r21 ) H2(gr1r2) Finally Sj calculates G

H4(skg1g2IDSjC) and sends the message g2 G1113864 1113865

to Ui(3) Upon receiving g2 G1113864 1113865 Ui computes sk H2(g

r12 )

H2(gr1r2)and Glowast H4(skg1g2IDSjC) and

checks whether G and Glowast are equal If both are notequal Ui aborts the session Otherwise Ui con-firms Sj as a valid service provider and sets sk assession key between Ui and Sj

Table 2 Notations used in the proposed protocol

Notation DescriptionRC e registration centerUi e ith userSj e jth service providerA e adversaryIDUi

e identity of ith userIDSj

e identity of jth service providerpw e password of a userbi e ith userrsquos personal biometricsσi e biometric keye e private key expire parameter1113954r1 1113954r2 Random numbers from Zlowastqsk e session key

Concatenation operationT e authentication right tree1113954T e authentication right tree on service provider sideai 1113954ai e authentication right parametersKRi e ith node of the authentication right treeLi e subnode of KRi

f(middot) e fuzzy-extractor generation proceduref(middot)minus 1 e deterministic reproduction procedureHi(middot) Secure one-way hash functionsIDRL ID revocation list

KRn

KR1

L1

a1 a 1

L2

a2 a 2

KRnndash1

Lnndash1

anndash1

Ln

an

a nndash1KR2

hellip a n

Figure 1 Authentication right tree


45 Tree Construction and Verification e proposed pro-tocol uses an authentication right tree T to store userrsquos andservice providerrsquos hierarchical authentication informationT is a Merkle hash tree that was introduced by Merkle [29]in 1998 Merkle hash tree is a digital signature scheme thatonly uses a conventional encryption function to compute thedigital signature making it extremely efficient In 2009Satoshi proposed a peer-to-peer electronic cash system asknown as bitcoin [30] Bitcoin system stores transactions inMerkle hash tree which saves disk space and this methodcan be used to verify transactions in each block ereforewe use a Merkle hash tree to construct our authenticationright tree In this part we will show how we construct anauthentication tree and how to verify a userrsquos authenticationright based on the rules of Merkle hash tree

451 Tree Construction First we introduce the construc-tion of the authentication right tree T as Figure 1 Anauthentication tree T contains the information of n dif-ferent levels e first level is the lowest level in the systemand the nth level is the highest level in the system Node KRi

denotes a user that has the authentication right which isfrom the first level to ith level Value stored in node KRi iscomputed from the hash values of its left child node KRiminus 1and right child node Li as KRi H4(KRiminus 1Li) e cal-culation of node KR1 as KR1 H4(L1) is different fromother KR nodes If a user is at the first level KR1 is embed inhisher private key and heshe can only access to first levelservice providers in this system If user is at ith level KRi isembed in hisher private key and heshe can access toservice providers which are from first to ith levels e right

Table 4 Service provider registration phase

Service provider Sj Registration center RC

⟶IDSj

secure channelComputes

dSj (1(s + H1(IDSj

))) middot P

larrdSj

1113954T1113966 1113967

secure channel

Stores dSj 1113954T1113882 1113883

Table 3 User registration phase

Mobile user Ui Registration center RC

⟶IDUi

secure channelComputes private key dUi

(1(s + H1(IDUieKRi))) middot P

and selects ai isin T

⟵dUi

ai1113966 1113967

secure channelComputes (σi θi)⟵f(bi)A dUioplusH3(pw σi)

B H4((H4(IDUi) H4(pwσi))mod n0) and stores

ai θi A B e f(middot) fminus 1(middot) t H1 H2 H3 H41113864 1113865

Table 5 User and service provider authentication phase

Mobile user Ui Service provider Sj

r1 H1( 1113954r1dUi) g1 gr1 C r1 middot (H1(IDSj

) middot P + Ppub)

D H1(IDUieIDSj

g1)

E (r1 + D) middot dUiF (aiIDUi

eIDSj)oplusH2(g1)

⟶CEF

Retrieves g1 gr1 1113954e(C dSj)(aiIDUi

eIDSj) FoplusH2(g1)

computes Li H4(ai1113954ai)KRi H4(KRi+1Li)1113954e(E H1(IDUi

eKRi) middot P + Ppub)

g1 middot gD andacceptsrejects

r2 H1( 1113954r2dSj) g2 gr2 sk H2(g

r21 )G H4(skg1g2IDSj

C)

⟵(Gg2)

Computes sk H2(gr12 )Glowast H4(skg1g2IDSj

C) checks

Glowast

G and acceptsrejects sk


child node Li is an intermediate variable which preparesfor calculating KRi Value stored in node Li is computedfrom the hash values of its left leaf node ai and right leafnode 1113954ai as Li H4(ai 1113954ai) Leaf node ai and 1113954ai are two 160-bit random strings that are stored on user and serviceprovider separately If a user is at ith level number i is storedin the last logn

2 bits and the first (160 minus logn2) bits should be

a random string

452 Tree Stored on Service Provider e authenticationright tree 1113954T stored on the service provider has a littledifferent from T Service provider uses 1113954T to verify userrsquosauthentication right e scale of 1113954T stored on each serviceprovider is based on the level of service provider As wementioned above nth level is the highest level in the systemIf service provider is at nth level heshe only provides servicefor nth level user so heshe only needs to save the au-thentication right tree 1113954T as Figure 2 If service provider is atthe jth level heshe can provide service for user that is fromjth to nth level erefore heshe needs to save 1113954aj to 1113954an andKRjminus 1 to KRn as Figure 3 where the symbol ldquordquo denotes thenode that service provider does not have

453 Authentication Right Verification When an ith leveluser wants to access a jth level service provider where ige juser sends ai to service provider and when service pro-vider received authentication parameter ai heshe checksthe last logn

2 bits of ai to get userrsquos level and finds 1113954ai Serviceprovider computes the value of Li as Li H4(ai 1113954ai) andthe value of KRi as KRi H4(KRiminus 1Li) en serviceprovider verifies userrsquos authentication right by calculating1113954e(E H1(IDUi


g1 middot gD If the equationholds service provider continues Otherwise hesheaborts the session For instance if a 10th level user wants toaccess to a 5th level service provider user sends a10 toservice provider and when service provider receivedauthentication parameter a10 heshe checks the last logn

2bits of a10 to get userrsquos level and finds 1113955a10 Service providercomputes L10 H4(a101113955a10) and KR10 H4(KR9L10)Service provider verifies userrsquos authentication right bycalculating 1113954e(E H1(IDUi

eKR10) middot P + Ppub)

g1 middot gD Ifthe equation holds service provider continues Otherwiseheshe aborts the authentication

46 4e User Revocation and Reregistration PhaseRevocation and reregistration has been used in many pro-tocols [31 32] In this part we describe user revocation andreregistrationWhen a userUi lost hisher smart card hesheneeds to reregister Ui submits hisher personal informationto RC and then RC verifies Uirsquos personal information andchecks the expire date of the private key dUi

If dUihas

already expired RC issues Ui a new private key with a newexpire date If dUi

has not expired RC issues Ui a new ID anda new private key with the same expire date as the lost smartcard RC adds the lost IDUi

to its ID revocation list (IDRL)

and board casts IDUito all service providers After received

IDUi service providers save it into their local storage

5 Security Proof

In this section we analyze the security of our protocol Firstwe present a security model for our protocol which is basedon BellarendashRogaway (BR) model [33] and CK-adversarymodel [34] and we use Zipfrsquos law [35] to enhance the se-curity of the basemodel Second we show that the security ofthe proposed protocol is based on the hardness of mathe-matical problems ird we show that our protocol satisfiessecurity requirements

51 Security Model We propose a security model for theproposed protocol based on literature studies [5 15 27 33 36]ere areUi and Sj at the authentication phase of the proposedprotocol e security of the proposed protocol is defined by agame played between an adversary A and a challenger C LetΠlΛ denote the lth instance of the participant of Λ isin Ui Sj1113966 1113967

respectively In this game we describe the capabilities ofA thatis defined in the literature [27] as follows

(i) A can enumerate offline all the items in the Car-tesian product Did ⋆Dpw within polynomial timewhere Dpw and Did denote the password space andthe identity space respectively

(ii) A has the capability of somehow learning thevictimrsquos identity when evaluating security strength(but not privacy provisions) of the protocol

(iii) A is in full control of the communication channelbetween the protocol participants

(iv) A may either (i) learn the password of a legitimateuser via malicious card reader or (ii) extract thesensitive parameters in the card memory by side-channel attacks but cannot achieve both

KRn

KRnndash1

a n

Figure 2 Authentication right tree on nth level service provider

KRn

KRnndash1

a n

KR2

KR1

a 1

a 2

hellip

a nndash1

Figure 3 Authentication right tree on jth level service provider


(v) A can learn previous session keys(vi) A has the capability of learning serverrsquos longtime

private keys only when evaluating the resistance toeventual failure of the server (eg forward secrecy)

A can issue queries to C and get answers from it asfollows

(i) Hi(qj) at any timeA issues query qj where qj canbe any string and C picks a random numberrj isin Zlowastq and stores langqj rjrang into list Hlist

i wherei isin 1 2 3 4 and j isin poly(n)1113864 1113865 FinallyC sends rj

to A(ii) ExtractUID (IDUi

) A issues queries of useridentity IDUi

andC generates users private key dUi

and stores langIDUi dUi

rang into list ElistdUi

(iii) ExtractSID (IDSj

) A issues queries of serviceproviderrsquos identity IDSj

and C generates serviceproviderrsquos private key dSj

and stores langIDSj dSj

rang

into list ElistdSj

(iv) Send (Πl

Λ) A issues query of the message m andC runs the protocol and returns the result to A

(v) SKReveal (ΠlΛ)A issues query and C returns the

session key produced in ΠlΛ to A

(vi) CorruptUID (IDUi) A issues the query of userrsquos

identity IDUi and C returns userrsquos private key dUi

to A(vii) CorruptSID (IDSj

) A issues the query of serviceproviderrsquos identity IDSj

and C returns serviceproviderrsquos private key dSj

to A(viii) Test (Πl

Λ) when A issues the query C flips arandom coin b isin 0 1 If b 1 C sends sessionkey in Πl

Λ to A otherwise (b 0) and C picks arandom number with the same length of sessionkey and sends it to A

After issuing the queries aboveA outputs bprime where bprime isabout the coin b produced in Test (Πl

Λ)-query A violatesthe authentication key agreement (AKA) of the proposedprotocol Σ if A can guess b correctly We define Arsquosadvantage in attacking the proposed protocol Σ asAdvAKAΣ (A) |2Pr[b bprime] minus 1|

Definition 1 (AKA-Secure) e proposed protocol Σis authentication key agreement secure (AKA-Secure) ifAdvAKAΣ (A) |2Pr[b bprime] minus 1| is negligible for anypolynomial-time adversary A

A violates the mutual authentication of the proposedprotocol Σ ifA can generate a legal login message or a legalresponse message Let E US and E SU denote the events thatA generates a legal login message and a legal responsemessage We define the advantage ofA attacking the mutualauthentication of the proposed protocol Σ as AdvMA

Σ (A)

Pr[E US ] + Pr[E SU ]

Definition 2 (MA-Secure) e proposed protocol Σ ismutual authentication secure (MA-Secure) if AdvMA

Σ (A) isnegligible for any polynomial-time adversary A

52 Proof of Security In this part we show the proposedprotocol Σ for multiserver architecture is AKA-secure andMA-secure in the security model we described above

Lemma 1 No polynomial-time adversaryA can forge a legallogin message with a nonnegligible probability ϵ

Proof Suppose the adversaryA forges a legal login messagewith a nonnegligible probability ϵ We show there is achallenger C who can solve the discrete logarithm (DL)problem with a nonnegligible probability

Given an instance (g gs) of the DL problem the aim ofchallenger C is to compute s isin Zlowastq and C sends the systemparameters G1G2 q 1113954e P Ppub g H1 H2 H3 H41113966 1113967 to A Crandomly selects IDUi

and answersArsquos queries according tothe following description

(i) Hi(qj) C maintains a list Hlisti initialized empty

Upon receiving the query qj C checks if langqj rjrang

exists in Hlisti If yes C sends rj to A otherwise

Crandomly picks rj isin Zlowastq and stores langqj rjrang inHlist

i then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi

) C maintains a list ElistdUi

ini-tialized empty When receiving the query IDUi

Cchecks if langIDUi

dUirang exists in Elist

dUi

then C senddUi

to A otherwise C executes the operations asfollows

(1) If IDUi IDUch

C sets H1(IDUi)⟵ α

dUi⟵perp and stores langIDUi

αrang into Hlist1

langIDUi dUi

rang into ElistU

(2) Otherwise if IDUine IDUch

C randomly selectsαi isin α1 α2 αk1113864 1113865 setsH1 IDUch

1113966 1113967⟵αi dUi⟵ (1(s + αi)) middot P and

stores langIDUi αirang in Hlist

1 langIDUi dUi

rang in ElistdUi

(iii) ExtractSID (IDSj) C maintains a list Elist

dSjinitialized empty When receiving the query IDSj

C checks if langIDSj dSj

rang exists in ElistdSj

If yesC send

dSjto A otherwise C randomly picks rdSj

isin Zlowastq

and computes dSj (1(s + rdSj

)) middot P C storeslangIDSj

dSjrang into Elist

dSj

langIDSj rdSj

rang into Hlist1 and

sends dSjto A

(iv) Send (ΠlΛ) C checks if Λ and Uch are equal if yes

C aborts the game otherwise C operatesaccording to protocol Σ

(v) SKReveal (ΠlΛ) after received the query C sends


(vi) CorruptUID (IDUi) C searches for langIDUi

dUirang in

ElistdUi

and returns dUito A

(vii) CorruptSID (IDSj) C searches for langIDSj

dSjrang in

ElistdSj

and returns dSjto A

(viii) Test (ΠlΛ) C randomly picks a number with the

same length of session key and sends it to A

At last A outputs a legal login message C E F cor-responding to userrsquos identity IDUi

If IDUine IDUch

C abortsthe game Based on the forking lemma [37] A can output


another legal login message (C Eprime Fprime) Because the loginmessages is legal we get the following two equations gUi

iscomputed by rising g to the power of a random numberchose by A

1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi

middot gD

1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873 gUi

middot gDprime

(1)

Based on the two equations above we get the followingequations

1113954e E H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873

1113954e Eprime H1 IDUieKRi1113872 1113873 middot P + Ppub1113872 1113873

gUi

middot gD

gUimiddot gDprime

gDminus Dprime

(2)

C outputs (D minus Dprime)minus 1 middot (E minus Eprime) as the solution to the givenDL problem e probability that C can solve the DLproblem is described as follows

(i) E1 C dose not abort in the any Send-queries(ii) E2 A outputs a legal login request(iii) E3 IDUi

and IDUIare equal

Let l denote the number of bits in biometric data qSendand qH1

denote the number of Send-queries and H1-queriesexecuted in the game Cprime and sprime are the Zipfrsquos parameters[35] and l is the length of biometric information We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1qH1

)erefore the nonnegligible probability thatC can solve

the DL problem is given byPr E1 andE2 andE31113858 1113859 Pr E3 E1 andE2

11138681113868111386811138681113960 1113961

Pr E2 E111138681113868111386811138681113960 1113961 middot Pr E11113858 1113859ge

1 minus 1 qSend + 1( 1113857( 1113857( 1113857qSend

qH1

middot ε

+ max Cprime middot qs primeSend

qSend

2l1113882 1113883

(3)

is contradicts with the hardness of the DL problemerefore we get that no polynomial-time adversary againstthe proposedMSAA protocol can forge a legal login messagewith a nonnegligible probability

Lemma 2 No polynomial-time adversaryA can forge a legalresponse message with a nonnegligible probability

Proof Suppose the adversary A forges a legal responsemessage with a nonnegligible probability ε We show there isa challenger C who can solve the k-mBIDH problem with anonnegligible probability

Given an instance (P y middot P z middot P (1(y + α1)) middot P

(1(y + α2)) middot P (1(y + αk)) middot P isin G1) of the k-mBIDHproblem the aim of challengerC is to compute 1113954e(P P)s(y+α)he picks a random number x isin Zlowastq and computes x middot P y middot Pand sends the system parameters G1G2 q e P Ppub1113966

g H1 H2 H3 H4 toAC randomly selects IDUiand answers

Arsquos queries according to the following description



exists in Hlisti If yes C sends rj to A otherwise C

randomly picks rj isin Zlowastq and stores langqj rjrang in Hlisti

then sends rj to A where j isin poly(n)1113864 1113865(ii) ExtractUID (IDUi

) C maintains a list ElistdUiinitialized empty When receiving the query IDUi

C checks if langIDUi dUi

rang exists in ElistdUi

and then C

sends dUito A otherwise C randomly picks

rdUiisin Zlowastq and computes dUi

(1(s + rdUi)) middot P C

stores langIDUi dUi

rang in ElistdUi

langIDUi rdUi

rang in Hlist1 and

sends dUito A





and then C

sends dSjto A otherwise C executes the oper-

ations as follows

(1) If IDSj IDSch

C sets H1 IDUi1113966 1113967⟵α and stores

langIDSj αrang into Hlist

1 langIDSjperprang into Elist

dSj

(2) Otherwise if IDSjne IDSch

C randomly selects

αi isin α1 α2 αk1113864 1113865 sets H1 IDSj1113882 1113883⟵α and

stores langIDSj αirang in Hlist

1 langIDSj αi (1(s + αi)) middot

Prang in ElistdSj

(iv) Send (ΠlΛ) C checks if Λ and Sch are equal if yes

C aborts the game otherwiseC operates accordingto the proposed protocol Σ

Finally A outputs a response message correspondingto identity IDSj

C outputs g1 as the solution of k-mBIDHproblem e probability that C can solve the k-mBIDHproblem is described as follows

(i) E1 C dose not abort in any Send-queries(ii) E2 C outputs a legal response message(iii) E3 IDSJ

and IDSchare equal

Let qSend qH1 and qH2

denote the number of Response-query H1-query and H2-query in the game We canget Pr[E1]ge (1 minus (1(qSend + 1)))qSend Pr[E2 | E1]ge ε andPr[E3 | E1 andE2]ge (1(qH1

middot qH2)) erefore the non-

negligible probability that C can solve the k-mBIDHproblem is given by

Pr E1 andE2 andE31113858 1113859 Pr E31113868111386811138681113868 E1 andE21113960 1113961 middot Pr E2

1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859

ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857

qSend

qH1middot qH2

middot ε(4)

is contradicts with the hardness of the k-mBIDHproblem erefore we get that no polynomial-timeadversary against the proposed MSAA protocol canforge a legal response message with a nonnegligibleprobability

Theorem 1 4e proposed protocol is MA-secure if the DLproblem and the k-mBIDH problem are hard


Proof Based on Lemmas 1 and 2 we get no polynomial-timeadversary can forge a legal login message or a legal responsemessage if the DL problem and the k-mBIDHproblem are harderefore we get the proposed protocol is MA-secure

Theorem 2 4e proposed protocol is AKA-secure if the CDHproblem is hard

Proof Suppose A guesses b correctly in Test-query with anonnegligible probability ϵ then C can solve the CDHproblem with a nonnegligible probability

Let Esk denote the event that A gets the correct sessionkey Since the probability thatA correctly guesses the value bis at least 12 we can get Pr[Esk]ge (ε2)

Let ETU and ETS denote the events that A uses in theTest-query to a userrsquos instance and a service providerrsquos in-stance respectively Let E US denote the event that A canviolate the user to service provider authentication We getthe following two equations

ε2lePr Esk1113858 1113859 Pr Esk andETU1113858 1113859 + Pr Esk andETS1113858 1113859

andE US + Pr Esk andETS andnotE US 1113960 1113961le Pr Esk andETU1113858 1113859 + Pr E US 1113960 1113961 + Pr Esk andETS andnotE US 1113960 1113961

Pr Esk andETU1113858 1113859 + Pr Esk andETS andnotE U S 1113858 geε2

minus Pr E US 1113960 1113961

(5)

Since Pr[ETS andE US ] Pr[ETU] we get

Pr ETS andE US 1113960 1113961geε4

minusPr E US 1113960 1113961

2 (6)

We get the probability as follows

Pr sk H2 gr1r2( 1113857

1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge

ε4

minusPr E US 1113960 1113961

2 (7)

According to the proof of Lemma 1 we get Pr[E US ] isnegligible However (ε4) minus ((Pr[E US ])2) is nonnegligiblesuppose that x gr1 y gr2 where r1 r2 isin Zlowastq Given aninstance (x y) of the CDH problem A computesz gr1 middotr2with a nonnegligible probability(ε4) minus ((Pr[E US ])2) erefore C can use A to solve theCDH problem with a nonnegligible probability is con-tradicts with the hardness of the CDH problemerefore wecan conclude that the proposed protocol is AKA-secure ifthe CDH problem is hard

53 Security Requirements Analysis We briefly show theproposed protocol satisfies the security requirements asfollows

(i) Single registration according to the specificationof the proposed protocol a user registers at theregistration center once and heshe can log intoregistered service providers which is at a specificlevelerefore the proposed protocol can providesingle registration

(ii) Mutual authentication two lemmas describedabove show that the adversary against the pro-posed protocol cannot produce a valid login orresponse message en IDUi

and IDSjcan au-

thenticate with the participant by checking thelegality of the received response message and loginmessage respectively erefore the proposedprotocol can support mutual authentication

(iii) User anonymity according to the proposed pro-tocol the userrsquos identity IDUi

is only in the messageF (DIDUi

eIDSj)oplusH2(gr1) To get IDUi

ad-versary needs to compute gr1 from C

r1 middot (H1(IDSj) middot P + Ppub) and it turns out the ad-

versary need to solve the k-mBIDHproblemenweknow that the proposed protocol can provide useranonymity as long as k-mBIDH problem is hard

(iv) Untraceability according to the proposed pro-tocol user generates a new random numberr1 isin Zlowastq to compute C r1 middot (H1(IDSj

) middot P +

Ppub) gr1 F (aiDIDUieIDSj

)oplusH2(gr1) Dueto the randomness of r1 adversary cannot findany relation of messages sent by the user andcannot trace the userrsquos behavior erefore theproposed protocol can provide untraceability

(v) Session key agreement according to the proposedprotocol both two participants calculate sessionkey sk H2(gr1r2) which can be used in futurecommunications erefore the proposed proto-col can provide session key agreement

(vi) Perfect forward secrecy assume the adversarysteals both private keys of the user and the serviceprovider We also assume that the adversary inter-cepts C E F G g2 sent between the user and theservice provider Using the service providerrsquos privatekey the adversary can compute g1 1113954e(C dSj

) gr1 To get session key sk H2(gr1r2) the adversarymust to compute g

r21 g

r12 gr1r2 where g1 gr1

g2 gr2 us adversary must solve the CDHproblem en the proposed protocol can pro-vide the perfect forward secrecy since the CDHproblem is hard

(vii) No smart card lose attack [20] assume the ad-versary steals the userrsquos device By using the side-


channel attack the adversary can extract the dataB H4(IDUi

H4(pwσ i)) A dUioplusH3(pwσ i)

e adversary can guess password pw but heshecannot verify its correctness because we haveimplemented the fuzzy-verifier technique [27 28]e adversary cannot get the userrsquos password so hecannot get the userrsquos private key dUi

ereforeadversaries cannot impersonate the user to theservice provider and the proposed protocol canresist smart card lose attack

(viii) No password verifier table according to the pro-posed protocol both two participants need to storetheir private keys and the registration center needsno password verifier table us the proposedprotocol provides no password verifier table

(ix) No online registration center according to theproposed protocol two participants can authen-ticate with each other without the help of theregistration center us the proposed protocoldoes not need an online registration center

(x) Hierarchical authentication this security requirementonly satisfied by the proposed protocole hierarchicalinformation KRi is embedded in the userrsquos privatekeydUi

(1(s + H1(IDUieKRi))) middot P when au-

thentication is with a service provider service pro-vider will check the userrsquos authentication right bycomputing whether the equation1113954e(E H1(IDUi

eKRi)middot P + Ppub)

g1 middot gD holds(xi) e resistance of various attacks the proposed

protocol can resist the insider attack the replayattack the man-in-the-middle attack etc Webriefly describe it as follows

(1) Temporary information attack if the adversarygets the temporary information 1113954r1 1113954r2 heshehas no ability to derive the userrsquos secret keyfrom (r1 + D) middot dUi

because the exponential ofg is composed of two values one is sessiontemporary secret 1113954r1 and other is the private keyof the user dUi

erefore the proposed protocolis secure against temporary information attack

(2) Insider attack suppose an insider in the systemgets the userrsquos information IDUi

H3(pwσ i)e adversary can guess a password pwHowever heshe cannot verify its correctnessbecause userrsquos password is protected by thesecure hash function and the biometric key σius the insider cannot get userrsquos passwordand the proposed protocol withstands the in-sider attack

(3) User impersonation attack [38 39] accordingto the proof of Lemma 1 we conclude that noadversary can forge a legal login messagewithout the userrsquos private keyus the serviceprovider can find out about the attack byverifying the validity of the received loginmessage erefore the proposed protocol canresist the user impersonation attack

(4) Server spoofing attack according to the proofof Lemma 2 we know that no adversary cangenerate a legal response message without theservice providerrsquos private key erefore userscan find out about the attack by verifying thevalidity of the received response messageerefore the proposed protocol can resist theserver spoofing attack

(5) Modification attack according to the proof ofLemma 1 we know that C E F is a digitalsignature of the login message and nopolynomial-time adversary can forge a legalone e service provider can find any modifi-cation by checking if the equation g1 gr1

1113954e(C dSj) and 1113954e(E H1(IDUi

eKRi) middot P +

Ppub)

g1 middot gDholds Besides G is the messageauthentication code of the response messageC E F under the key g1 1113954e(C dSj

) e usercan find out about any modification of theresponse message because the hash functionH4(middot) is secure erefore the proposed pro-tocol can resist the modification attack

(6) Replay attack according to the proposedprotocol both two participants generate newrandom number r1 r2 isin Zlowastq and g1 gr1

g2 gr2 which are involved in the loginmessage and the response message Due to thefreshness of g1 g2 the user and the serviceprovider can find the replay of messages bychecking the validity of the received messageerefore the proposed protocol resists thereplay attack

(7) Man-in-the-middle attack based on the abovedescription we conclude that the proposedprotocol provides mutual authentication be-tween two participants erefore the proposedprotocol can resist the man-in-the-middleattack

54 SecurityComparison In this part we compare the securityof the proposed protocol with other multiserver architectureprotocols in Table6 We introduce a new independent criterionwhich is based on a widely adopted standard [40 41] as follows

C1 (no password verifier table) the server does notneed to maintain a database for storing user passwordsor some derived values of user passwordsC2 (password friendly) the password is memorable andcan be chosen freely and changed locally by the userC3 (no password exposure) the password cannot bederived by the privileged administrator of the serverC4 (no smart card loss attack) the scheme is free fromsmart card loss attack ie unauthorized users getting avictimrsquos card should not be able to easily change thepassword of the smart card recover the victimrsquospassword by using online offline or hybrid guessing


Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834


attacks or impersonate the user to login to the systemeven if the smart card is obtained andor secret data inthe smart card are revealedC5 (resistance to known attacks) the scheme resistsvarious kinds of basicsophisticated attacks includingoffline password guessing attack replay attack parallelsession attack desynchronization attack stolen verifierattack impersonation attack key control unknown keyshare attack and known key attackC6 (sound repairability) the scheme provides smartcard revocation with good repairability ie a user canrevoke her card without changing her identityC7 (provision of key agreement) the client and theserver can establish a common session key for securedata communications during the authenticationprocessC8 (no clock synchronization) the scheme is not proneto the problems of clock synchronization and timedelay ie the server needs not to synchronize its timeclock with these time clocks of all input devices used bysmart cards and vice versaC9 (timely typo detection) the user will be timelynotified if she inputs a wrong password by mistakewhen loginC10 (mutual authentication) the user and server canverify the authenticity of each otherC11 (user anonymity) the scheme can protect useridentity and prevent user activities from being tracedC12 (forward secrecy) the scheme provides theproperty of perfect forward secrecyC13 (hierarchical authentication) when a server au-thenticates with a user it checks the userrsquos authentica-tion right If the user authentication right belongs to theserver authentication level the authentication is suc-cessful Otherwise the authentication request is denied

6 Performance Comparison

We show the computation and communication costs of theproposed protocol We compare its performance with otherprotocol For the purpose of getting a trusted security level(1024-bit RSA algorithm) an Ate pairing1113954e G1 times G1⟶ G2is used G1 with order q is generated bya point on a supersingular elliptic curve E(Fp) y2 x3 +

1 which is defined on the finite field Fp Order q is a 160-bit prime number and p is a 512-bit prime number

61 Computation Cost Comparison We give the runningtime of various operations performed in the proposedprotocol and we compare the results with He et al [15] andOdelu et al [14] In this section we use the following no-tations for the following running times in this paper

(i) Tbp the running time of a bilinear pairingoperation

(ii) Tsm the running time of a scalar multiplicationoperation in G1

(iii) Tmtp the running time of a map-to-point hashfunction in G1

(iv) Tpa the running time of a point addition operationin G1

(v) Texp the running time of an exponentiation op-eration in G2

(vi) Tmul the running time of a multiplication operationin G2

(vii) Th the running time of a general hash operation

e above operations are implemented with MIRACLE[42] library on a rooted android mobile phone (A5000 withQualcomm 801 processor 2-gigabyte memory GoogleAndroid 442 operating system) and a personal computer(Lenovo with an i7-6700HQ 26GHz 16-gigabyte memoryWindows 7reg operating system) e running time of thoseoperations is listed in Table 7

We compare the computation costs of the proposedprotocol with He et al [15] and Odelu et al [14] based on therunning time of the user and the service providerand theresult is shown in Table 6

62 Communication Cost Comparison According to thedescription of the trusted security level q is a 160-bit primenumber and p is a 512-bit prime number e size of anelement inG1G2 is 1024 bits e size of the hash functionrsquosoutput is 160 bits and the identity and the expire parameterare both 32 bits In our protocol we only have two roundsof communication for establishing a session key On clientside the messages C E F require 320 + 320+256 896 bitsand on service provider side messages G g2 require160 + 512 672 bits e total communication costs are1568 bits In He et alrsquos [15] protocol on client sidemessages RUi

CUirequire 1024 + 32+1024 + 160 2240 bits

and on server side messages y αSjrequire 1024 + 1601184

bits In Odelu et alrsquos [14] protocol on client side messagesM1 M3 require 320 + 512 832 bits and on server sidemessage M2 require 672 bits e comparison of commu-nication costs is shown in Table 6

63 Storage Cost Analysis Because the mobile devices arelimited to storage spaces we therefore analyze the storagecost on the user side to show the proposed protocol hasreasonable storage cost In Odelu et alrsquos protocol a userneeds to store EiLti

ei θi t e Lti P Ppub g q1113966 1113967 in hisherdevice which costs 1674 bits In He et alrsquos protocol user

needs to store Rui y asj

gUiψUi

vUi bUi

1113882 1113883 which costs 3230

Table 7 e running time of related operations (milliseconds)

Tmtp Tbp Tsm Tpa Texp Tmul Th

User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006


bits In our protocol user needs to storeA B θi ai e P Ppub g q1113966 1113967 which costs 1834 bits

7 Conclusion

In this paper we have proposed a hierarchical authentica-tion protocol for the multiserver environment e signif-icant contribution of this paper is that we have built anauthentication right tree based on the Merkle hash treewhich can be used to verify the authentication right of a userwhen heshe is authenticating with the service provider eextended hierarchical authentication feature has addedmoreflexibility and security to multiserver architecture e se-curity proof has demonstrated that our protocol is provablysecure under the random oracle model Our protocol hasreasonable computation and communication costs whichcould be suitable for multiserver architecture

Data Availability

No data were used to support this study

Conflicts of Interest

e authors declare that there are no conflicts of interestregarding the publication of this article

Acknowledgments

is work was funded by the Chengdu Science and Tech-nology Bureau (no 2016-XT00-00015-GX) and the CivilAviation Administration of China (no PSDSA201802)

References

[1] H Li Y Dai L Tian and H Yang ldquoIdentity-based au-thentication for cloud computingrdquo in Cloud ComputingM G Jaatun G Zhao and C Rong Eds Springer BerlinGermany pp 157ndash166 2009

[2] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015

[3] H Tohidi and V T Vakili ldquoLightweight authenticationscheme for smart grid using merkle hash tree and losslesscompression hybrid methodrdquo IET Communications vol 12no 19 pp 2478ndash2484 2018

[4] M-H Shao and Y-C Chin ldquoA privacy-preserving dynamicid-based remote user authentication scheme with accesscontrol for multi-server environmentrdquo IEICE Transactions onInformation and Systems vol E95-D no 1 pp 161ndash168 2012

[5] D He and DWang ldquoRobust biometrics-based authenticationscheme for multiserver environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 SEP 2015

[6] V Odelu A K Das and A Goswami ldquoA secure biometrics-based multi-server authentication protocol using smartcardsrdquo IEEE Transactions on Information Forensics and Se-curity vol 10 no 9 pp 1953ndash1966 2015

[7] Q Xie D S Wong G Wang X Tan K Chen and L FangldquoProvably secure dynamic id-based anonymous two-factorauthenticated key exchange protocol with extended security

modelrdquo IEEE Transactions on Information Forensics andSecurity vol 12 no 6 pp 1382ndash1392 2017

[8] P Chandrakar and H Om ldquoA secure and robust anonymousthree-factor remote user authentication scheme for multi-server environment using eccrdquo Computer Communicationsvol 110 pp 26ndash34 2017

[9] Q Feng D He S Zeadally and H Wang ldquoAnonymousbiometrics-based authentication scheme with key distributionfor mobile multi-server environmentrdquo Future GenerationComputer Systems vol 84 pp 239ndash251 2018

[10] R Amin N Kumar G P Biswas R Iqbal and V Chang ldquoAlight weight authentication protocol for iot-enabled devices indistributed cloud computing environmentrdquo Future Genera-tion Computer Systems vol 78 pp 1005ndash1019 2018

[11] J Cui X Zhang N Cao D Zhang J Ding and G Li ldquoAnimproved authentication protocol-based dynamic identity formulti-server environmentsrdquo International Journal of Dis-tributed Sensor Networks vol 14 no 5 2018

[12] K Choi J Hwang D Lee and I Seo ldquoDased authenticatedkey agreement for low-wer mobile devicesrdquo C Boyd and J MGonzalez Nieto Eds in Proceedings of the10th AustralasianConference on Information Security and Privacy vol 3574 pp494ndash505 Brisbane Australia July 2005

[13] Y-M Tseng S-S Huang T-T Tsai and J-H Ke ldquoList-freeID-based mutual authentication and key agreement protocolfor multiserver architecturesrdquo IEEE Transactions on EmergingTopics in Computing vol 4 no 1 pp 102ndash112 2016

[14] V Odelu A K Das S Kumari X Huang and M WazidldquoProvably secure authenticated key agreement scheme fordistributed mobile cloud computing servicesrdquo Future Gen-eration Computer Systems vol 68 pp 74ndash88 2017

[15] D He S Zeadally N Kumar and W Wu ldquoEfficient andanonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architecturesrdquoIEEE Transactions on Information Forensics and Security vol 11no 9 pp 2052ndash2064 2016

[16] A Irshad M Sher H F Ahmad B A AlzahraniS A Chaudhry and R Kumar ldquoAn improved multi-serverauthentication scheme for distributed mobile cloud com-puting servicesrdquo KSII Transactions on Internet and Infor-mation Systems vol 10 pp 5529ndash5552 2016

[17] J-L Tsai and N-W Lo ldquoA privacy-aware authenticationscheme for distributed mobile cloud computing servicesrdquoIEEE Systems Journal vol 9 no 3 pp 805ndash815 2015

[18] L Xiong D Peng T Peng and H Liang ldquoAn enhancedprivacy-aware authentication scheme for distributed mobilecloud computing servicesrdquo KsII Transactions on Internet andInformation Systems vol 11 no 12 pp 6169ndash6187 2017

[19] L Xiong D Y Peng T Peng H B Liang and Z C Liu ldquoAlightweight anonymous authentication protocol with perfectforward secrecy for wireless sensor networksrdquo Sensors vol 17no 11 p 2681 2017

[20] S Kumari A K Das X Li et al ldquoA provably secure bio-metrics-based authenticated key agreement scheme for multi-server environmentsrdquo Multimedia Tools and Applicationsvol 77 no 2 pp 2359ndash2389 2018

[21] G Xu S Qiu H Ahmad et al ldquoA multi-server two-factorauthentication scheme with un-traceability using ellipticcurve cryptographyrdquo Sensors vol 18 no 7 p 2394 2018

[22] Q Jiang J Ma and F Wei ldquoOn the security of a privacy-aware authentication scheme for distributed mobile cloudcomputing servicesrdquo IEEE Systems Journal vol 12 no 2pp 2039ndash2042 2018


[23] S Chatterjee S Roy A K Das S Chattopadhyay N Kumarand A V Vasilakos ldquoSecure biometric-based authenticationscheme using Chebyshev chaotic map for multi-server en-vironmentrdquo IEEE Transactions on Dependable and SecureComputing vol 15 no 5 pp 824ndash839 2018

[24] W-S Juang ldquoEfficient multi-server password authenticatedkey agreement using smart cardsrdquo IEEE Transactions onConsumer Electronics vol 50 no 1 pp 251ndash255 2004

[25] S Barman A K Das D Samanta S ChattopadhyayJ J P C Rodrigues and Y Park ldquoProvably secure multi-server authentication protocol using fuzzy commitmentrdquoIEEE Access vol 6 pp 38578ndash38594 2018

[26] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquo inAdvances in CryptologymdashEUROCRYPT 2004 C Cachin andJ L Camenisch Eds Springer Berlin Germany pp 523ndash540 2004

[27] D Wang D He P Wang and C-H Chu ldquoAnonymous two-factor authentication in distributed systems certain goals arebeyond attainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015

[28] P Wang Z Zhang and D Wang ldquoRevisiting anonymoustwo-factor authentication schemes for multi-server envi-ronmentrdquo in Proceedings of the 2018 International Conferenceon Information and Communications Security Lille FranceOctober 2018

[29] R C Merkle ldquoA digital signature based on a conventionalencryption functionrdquo in Advances in CryptologymdashCRYPTO rsquo87C Pomerance Ed Springer Berlin Germany pp 369ndash3781988

[30] S Nakamoto ldquoBitcoin a peer-to-peer electronic cash systemrdquo2009 httpsmetzdowdcom

[31] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of mutually authenticated key agreement protocolresistant to impersonation attacks for multi-server environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017

[32] S Jangirala S Mukhopadhyay and A K Das ldquoAmulti-serverenvironment with secure and efficient remote user authen-tication scheme based on dynamic ID using smart cardsrdquoWireless Personal Communications vol 95 no 3 pp 2735ndash2767 2017

[33] M Bellare R Canetti and H Krawczyk ldquoA modular ap-proach to the design and analysis of authentication and keyexchange protocols (extended abstract)rdquo in Proceedings of the30th Annual ACM Symposium on 4eory of ComputingmdashSTOC rsquo98 pp 419ndash428 Dallas TX USA May 1998

[34] C Ran and H Krawczyk ldquoUniversally composable notions ofkey exchange and secure channelsrdquo in Proceedings of theInternational Conference on the 4eory and Applications ofCryptographic Techniques Advances in Cryptology Amster-dam Netherlands April 2002

[35] D Wang H Cheng P Wang X Huang and G Jian ldquoZipfrsquoslaw in passwordsrdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 11 pp 2776ndash2791 2017

[36] R Canetti and H Krawczyk ldquoAnalysis of key-exchangeprotocols and their use for building secure channelsrdquo inAdvances in CryptologymdashEUROCRYPT 2001 B PfitzmannEd Springer Berlin Germany pp 453ndash474 2001

[37] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptologyvol 13 no 3 pp 361ndash396 2000

[38] S Kumari X Li F Wu A K Das K-K R Choo and J ShenldquoDesign of a provably secure biometrics-based multi-cloud-

server authentication schemerdquo Future Generation ComputerSystems vol 68 pp 320ndash330 2017

[39] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn en-hanced biometric based authentication with key-agreementprotocol for multi-server architecture based on elliptic curvecryptographyrdquo PLoS One vol 11 no 5 Article ID e01543082016

[40] D Wang and P Wang ldquoTwo birds with one stone two-factorauthentication with security beyond conventional boundrdquoIEEE Transactions on Dependable and Secure Computingvol 15 no 4 pp 708ndash722 2018

[41] D Wang W Li and P Wang ldquoMeasuring two-factor au-thentication schemes for real-time data access in industrialwireless sensor networksrdquo IEEE Transactions on IndustrialInformatics vol 14 no 9 pp 4081ndash4092 2018

[42] S S Ltd ldquoBWorld robot control softwarerdquo 2015 httpwwwshamusieindexphppage=home


user authentication rights and access capabilities e hi-erarchical authentication functionality has been achievedin the MSAA1 protocol [2 4] In the MSAA1 protocol anRC is required at the authentication phase erefore RCcan verify the userrsquos authentication rights to determinewhether heshe can access to service providers that are at aparticular level However MSAA1 protocols have severaldrawbacks such as unreasonable communication cost thatwe showed earlier making the whole system inefficientSuppose we apply the existing MSAA2 protocols to theabove environment there should be multiple RCs to manageusers and service providers at different levels Users andservice providers need to store various certificates fromdifferent RCs e missing of hierarchical authenticationfunctionality in the existing MSAA2 protocols motivates usto design a new lightweight hierarchical authenticationprotocol for multiserver architecture

e proposed protocol uses a self-constructed Merkletree to achieve hierarchical authentication functionality Inthe proposed protocol a session key is established betweenservice providers and users without involving RC this sig-nificantly reduces communication cost and makes the au-thentication process faster e proposed protocol can meetthe security requirements of the multiserver architecture andis provably secure in general security model

e remainder of this paper is organized as followsSection 2 discusses the related work Section 3 describespreliminaries In Section 4 we show the details of theproposed protocol Section 5 gives out the formal securityproof of the proposed protocol Section 6 presents a com-parison of the proposed protocol with other related protocolson security computation and communication costs Section7 concludes the paper

2 Related Work

Li et al [1] proposed a new multiserver architecture au-thentication (MSAA) protocol for cloud computing basedon the identity-based model Shao and Chin [4] proposedan authentication protocol for multiserver architecture butfailed to resist the server spoofing and the impersonationattacks He and Wang [5] constructed the first genuinelythree-factor authentication protocol for the multiserverarchitecture but their protocol is vulnerable to the knownsession-specific temporary information attack and imper-sonation attack Odelu et al [6] proposed an improvedprotocol to solve the security drawbacks in [5] Xie et al [7]proposed a two-factor authentication protocol HoweverXiersquos protocol cannot resist the lost smart card attack and theoffline dictionary guessing attack To address the drawbacksChandrakar and Om [8] proposed a new security-enhancedthree-factor protocol Feng et al [9] proposed an enhancedbiometrics-based authentication protocol that can provideuser anonymity Amin et al [10] proposed a lightweightauthentication protocol that has lower computational andcommunication costs Cui et al [11] proposed an efficientprotocol that only uses nonce exclusive-OR operation andone-way hash function their protocol greatly reduces thecomputation cost However in this kind of protocol they all

need the help of an online registration center to achieve mutualauthentication which increases the communication cost

In order to solve the drawbacks in the first type protocolChoi et al [12] proposed the first MSAA protocol withoutthe online registration center Tseng et al [13] proposed alist-free ID-based authentication protocol using bilinearpairings for the multiserver architecture However Tsenget al [13] cannot provide credentials privacy and untrace-ability for users Recently Odelu et al [14] and He et al [15]proposed new protocols that reduce the computation andcommunication costs Irshad et al [16] found protocol in[17] cannot achieve desired security goals erefore theyproposed an improved multiserver authentication protocolfor distributed mobile cloud computing services AfterwardXiong et al [18] found protocol in [16] has unreasonablecomputation cost so they proposed an enhanced protocolfor distributed mobile cloud At the same time Xiong et al[19] proposed a new lightweight anonymous authenticationprotocol to reduce computation and communication costsBarman et al [25] used fuzzy commitment approach tosecure the information stored on personal device Kumariet al [20] proposed a concept of the fuzzy extractor toprovide the proper matching of biometric patterns Xu et al[21] proposed a new protocol that provides untraceabilityJiang et al [22] performed a security analysis to the protocolin [17] pointing out that it is vulnerable to the imper-sonation attack Chatterjee et al [23] proposed a biometric-based protocol using the chaotic map and enhanced thesecurity for multiserver architecture We summarizetechniques advantages and disadvantages that the existingprotocols used in Table 1

3 Preliminaries

In this section we introduce preliminaries of the proposedprotocol

Let G1 and G2 be an additive cyclic group and a mul-tiplicative cyclic group both of them have a large primeorder q Let 1113954e G1 times G1⟶ G2 denote a bilinear mapSuppose P is a generator of G1 g is a generator of G2 Abilinear map 1113954e has the following properties

(i) Bilinearity for all P Q isin G1 and for all a b isin Zlowastq 1113954e(aP bQ) 1113954e(P Q)ab

(ii) Computability there exists an algorithm that cansuccessfully compute 1113954e(P Q) for all P Q isin G1

(iii) Nondegeneracy there exists P Q isin G1 such that1113954e(P Q)ne 1 where 1 is the identity element of G2

We list the hard problems that we used in the proposedprotocol as follows

(i) Discrete logarithm (DL) problem given an elementx isin G2 it is hard to compute a isin Zlowastq such thatx ga

(ii) Computational DiffiendashHellman (CDH) problemgiven two elements ga gb isin G2 it is hard to com-pute gamiddotb isin G2 where a and b are unknown andrandomly chosen from Zlowastq

















channel





























(1(s +











(1(s +


1113954T1113882 1113883 to him via a
















dUi and F (aiIDUi



is inIDRL if IDUi







P + Ppub)






r12 )









KRn

KR1

L1

a1 a 1

L2

a2 a 2

KRnndash1

Lnndash1

anndash1

Ln

an

a nndash1KR2

hellip a n








⟶IDSj


dSj (1(s + H1(IDSj

))) middot P

larrdSj

1113954T1113966 1113967

secure channel

Stores dSj 1113954T1113882 1113883



⟶IDUi




⟵dUi

ai1113966 1113967







) middot P + Ppub)

D H1(IDUieIDSj

g1)


eIDSj)oplusH2(g1)

⟶CEF


eIDSj) FoplusH2(g1)




r2 H1( 1113954r2dSj) g2 gr2 sk H2(g


C)

⟵(Gg2)


C) checks

Glowast





a random string










If dUihas






5 Security Proof








KRn

KRnndash1

a n


KRn

KRnndash1

a n

KR2

KR1

a 1

a 2

hellip

a nndash1

















rang

into list ElistdSj

(iv) Send (Πl
















Σ (A)
















Cchecks if langIDUi


dUi

then C senddUi


(1) If IDUi IDUch



αrang into Hlist1

langIDUi dUi

rang into ElistU





1 langIDUi dUi

rang in ElistdUi





If yesC send


isin Zlowastq



dSjrang into Elist

dSj

langIDSj rdSj


sends dSjto A






dUirang in

ElistdUi

and returns dUito A


dSjrang in

ElistdSj

and returns dSjto A




If IDUine IDUch






middot gD


middot gDprime

(1)




gUi

middot gD

gUimiddot gDprime

gDminus Dprime

(2)



and IDUIare equal





11138681113868111386811138681113960 1113961



qH1

middot ε


qSend

2l1113882 1113883

(3)
















and then C




stores langIDUi dUi

rang in ElistdUi

langIDUi rdUi

rang in Hlist1 and

sends dUito A





and then C


ations as follows

(1) If IDSj IDSch




dSj


C randomly selects




Prang in ElistdSj






and IDSchare equal






1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859

ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857

qSend

qH1middot qH2

middot ε(4)












minus Pr E US 1113960 1113961

(5)



minusPr E US 1113960 1113961

2 (6)


Pr sk H2 gr1r2( 1113857

1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge

ε4

minusPr E US 1113960 1113961

2 (7)





and IDSjcan au-









) middot P +






r21 g


























eKRi) middot P +

Ppub)









Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References






























































channel





























(1(s +











(1(s +


1113954T1113882 1113883 to him via a
















dUi and F (aiIDUi



is inIDRL if IDUi







P + Ppub)






r12 )









KRn

KR1

L1

a1 a 1

L2

a2 a 2

KRnndash1

Lnndash1

anndash1

Ln

an

a nndash1KR2

hellip a n








⟶IDSj


dSj (1(s + H1(IDSj

))) middot P

larrdSj

1113954T1113966 1113967

secure channel

Stores dSj 1113954T1113882 1113883



⟶IDUi




⟵dUi

ai1113966 1113967







) middot P + Ppub)

D H1(IDUieIDSj

g1)


eIDSj)oplusH2(g1)

⟶CEF


eIDSj) FoplusH2(g1)




r2 H1( 1113954r2dSj) g2 gr2 sk H2(g


C)

⟵(Gg2)


C) checks

Glowast





a random string










If dUihas






5 Security Proof








KRn

KRnndash1

a n


KRn

KRnndash1

a n

KR2

KR1

a 1

a 2

hellip

a nndash1

















rang

into list ElistdSj

(iv) Send (Πl
















Σ (A)
















Cchecks if langIDUi


dUi

then C senddUi


(1) If IDUi IDUch



αrang into Hlist1

langIDUi dUi

rang into ElistU





1 langIDUi dUi

rang in ElistdUi





If yesC send


isin Zlowastq



dSjrang into Elist

dSj

langIDSj rdSj


sends dSjto A






dUirang in

ElistdUi

and returns dUito A


dSjrang in

ElistdSj

and returns dSjto A




If IDUine IDUch






middot gD


middot gDprime

(1)




gUi

middot gD

gUimiddot gDprime

gDminus Dprime

(2)



and IDUIare equal





11138681113868111386811138681113960 1113961



qH1

middot ε


qSend

2l1113882 1113883

(3)
















and then C




stores langIDUi dUi

rang in ElistdUi

langIDUi rdUi

rang in Hlist1 and

sends dUito A





and then C


ations as follows

(1) If IDSj IDSch




dSj


C randomly selects




Prang in ElistdSj






and IDSchare equal






1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859

ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857

qSend

qH1middot qH2

middot ε(4)












minus Pr E US 1113960 1113961

(5)



minusPr E US 1113960 1113961

2 (6)


Pr sk H2 gr1r2( 1113857

1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge

ε4

minusPr E US 1113960 1113961

2 (7)





and IDSjcan au-









) middot P +






r21 g


























eKRi) middot P +

Ppub)









Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References
















































(1(s +











(1(s +


1113954T1113882 1113883 to him via a
















dUi and F (aiIDUi



is inIDRL if IDUi







P + Ppub)






r12 )









KRn

KR1

L1

a1 a 1

L2

a2 a 2

KRnndash1

Lnndash1

anndash1

Ln

an

a nndash1KR2

hellip a n








⟶IDSj


dSj (1(s + H1(IDSj

))) middot P

larrdSj

1113954T1113966 1113967

secure channel

Stores dSj 1113954T1113882 1113883



⟶IDUi




⟵dUi

ai1113966 1113967







) middot P + Ppub)

D H1(IDUieIDSj

g1)


eIDSj)oplusH2(g1)

⟶CEF


eIDSj) FoplusH2(g1)




r2 H1( 1113954r2dSj) g2 gr2 sk H2(g


C)

⟵(Gg2)


C) checks

Glowast





a random string










If dUihas






5 Security Proof








KRn

KRnndash1

a n


KRn

KRnndash1

a n

KR2

KR1

a 1

a 2

hellip

a nndash1

















rang

into list ElistdSj

(iv) Send (Πl
















Σ (A)
















Cchecks if langIDUi


dUi

then C senddUi


(1) If IDUi IDUch



αrang into Hlist1

langIDUi dUi

rang into ElistU





1 langIDUi dUi

rang in ElistdUi





If yesC send


isin Zlowastq



dSjrang into Elist

dSj

langIDSj rdSj


sends dSjto A






dUirang in

ElistdUi

and returns dUito A


dSjrang in

ElistdSj

and returns dSjto A




If IDUine IDUch






middot gD


middot gDprime

(1)




gUi

middot gD

gUimiddot gDprime

gDminus Dprime

(2)



and IDUIare equal





11138681113868111386811138681113960 1113961



qH1

middot ε


qSend

2l1113882 1113883

(3)
















and then C




stores langIDUi dUi

rang in ElistdUi

langIDUi rdUi

rang in Hlist1 and

sends dUito A





and then C


ations as follows

(1) If IDSj IDSch




dSj


C randomly selects




Prang in ElistdSj






and IDSchare equal






1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859

ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857

qSend

qH1middot qH2

middot ε(4)












minus Pr E US 1113960 1113961

(5)



minusPr E US 1113960 1113961

2 (6)


Pr sk H2 gr1r2( 1113857

1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge

ε4

minusPr E US 1113960 1113961

2 (7)





and IDSjcan au-









) middot P +






r21 g


























eKRi) middot P +

Ppub)









Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References




















































⟶IDSj


dSj (1(s + H1(IDSj

))) middot P

larrdSj

1113954T1113966 1113967

secure channel

Stores dSj 1113954T1113882 1113883



⟶IDUi




⟵dUi

ai1113966 1113967







) middot P + Ppub)

D H1(IDUieIDSj

g1)


eIDSj)oplusH2(g1)

⟶CEF


eIDSj) FoplusH2(g1)




r2 H1( 1113954r2dSj) g2 gr2 sk H2(g


C)

⟵(Gg2)


C) checks

Glowast





a random string










If dUihas






5 Security Proof








KRn

KRnndash1

a n


KRn

KRnndash1

a n

KR2

KR1

a 1

a 2

hellip

a nndash1

















rang

into list ElistdSj

(iv) Send (Πl
















Σ (A)
















Cchecks if langIDUi


dUi

then C senddUi


(1) If IDUi IDUch



αrang into Hlist1

langIDUi dUi

rang into ElistU





1 langIDUi dUi

rang in ElistdUi





If yesC send


isin Zlowastq



dSjrang into Elist

dSj

langIDSj rdSj


sends dSjto A






dUirang in

ElistdUi

and returns dUito A


dSjrang in

ElistdSj

and returns dSjto A




If IDUine IDUch






middot gD


middot gDprime

(1)




gUi

middot gD

gUimiddot gDprime

gDminus Dprime

(2)



and IDUIare equal





11138681113868111386811138681113960 1113961



qH1

middot ε


qSend

2l1113882 1113883

(3)
















and then C




stores langIDUi dUi

rang in ElistdUi

langIDUi rdUi

rang in Hlist1 and

sends dUito A





and then C


ations as follows

(1) If IDSj IDSch




dSj


C randomly selects




Prang in ElistdSj






and IDSchare equal






1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859

ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857

qSend

qH1middot qH2

middot ε(4)












minus Pr E US 1113960 1113961

(5)



minusPr E US 1113960 1113961

2 (6)


Pr sk H2 gr1r2( 1113857

1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge

ε4

minusPr E US 1113960 1113961

2 (7)





and IDSjcan au-









) middot P +






r21 g


























eKRi) middot P +

Ppub)









Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References

















































a random string










If dUihas






5 Security Proof








KRn

KRnndash1

a n


KRn

KRnndash1

a n

KR2

KR1

a 1

a 2

hellip

a nndash1

















rang

into list ElistdSj

(iv) Send (Πl
















Σ (A)
















Cchecks if langIDUi


dUi

then C senddUi


(1) If IDUi IDUch



αrang into Hlist1

langIDUi dUi

rang into ElistU





1 langIDUi dUi

rang in ElistdUi





If yesC send


isin Zlowastq



dSjrang into Elist

dSj

langIDSj rdSj


sends dSjto A






dUirang in

ElistdUi

and returns dUito A


dSjrang in

ElistdSj

and returns dSjto A




If IDUine IDUch






middot gD


middot gDprime

(1)




gUi

middot gD

gUimiddot gDprime

gDminus Dprime

(2)



and IDUIare equal





11138681113868111386811138681113960 1113961



qH1

middot ε


qSend

2l1113882 1113883

(3)
















and then C




stores langIDUi dUi

rang in ElistdUi

langIDUi rdUi

rang in Hlist1 and

sends dUito A





and then C


ations as follows

(1) If IDSj IDSch




dSj


C randomly selects




Prang in ElistdSj






and IDSchare equal






1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859

ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857

qSend

qH1middot qH2

middot ε(4)












minus Pr E US 1113960 1113961

(5)



minusPr E US 1113960 1113961

2 (6)


Pr sk H2 gr1r2( 1113857

1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge

ε4

minusPr E US 1113960 1113961

2 (7)





and IDSjcan au-









) middot P +






r21 g


























eKRi) middot P +

Ppub)









Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References





























































rang

into list ElistdSj

(iv) Send (Πl
















Σ (A)
















Cchecks if langIDUi


dUi

then C senddUi


(1) If IDUi IDUch



αrang into Hlist1

langIDUi dUi

rang into ElistU





1 langIDUi dUi

rang in ElistdUi





If yesC send


isin Zlowastq



dSjrang into Elist

dSj

langIDSj rdSj


sends dSjto A






dUirang in

ElistdUi

and returns dUito A


dSjrang in

ElistdSj

and returns dSjto A




If IDUine IDUch






middot gD


middot gDprime

(1)




gUi

middot gD

gUimiddot gDprime

gDminus Dprime

(2)



and IDUIare equal





11138681113868111386811138681113960 1113961



qH1

middot ε


qSend

2l1113882 1113883

(3)
















and then C




stores langIDUi dUi

rang in ElistdUi

langIDUi rdUi

rang in Hlist1 and

sends dUito A





and then C


ations as follows

(1) If IDSj IDSch




dSj


C randomly selects




Prang in ElistdSj






and IDSchare equal






1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859

ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857

qSend

qH1middot qH2

middot ε(4)












minus Pr E US 1113960 1113961

(5)



minusPr E US 1113960 1113961

2 (6)


Pr sk H2 gr1r2( 1113857

1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge

ε4

minusPr E US 1113960 1113961

2 (7)





and IDSjcan au-









) middot P +






r21 g


























eKRi) middot P +

Ppub)









Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References


















































middot gD


middot gDprime

(1)




gUi

middot gD

gUimiddot gDprime

gDminus Dprime

(2)



and IDUIare equal





11138681113868111386811138681113960 1113961



qH1

middot ε


qSend

2l1113882 1113883

(3)
















and then C




stores langIDUi dUi

rang in ElistdUi

langIDUi rdUi

rang in Hlist1 and

sends dUito A





and then C


ations as follows

(1) If IDSj IDSch




dSj


C randomly selects




Prang in ElistdSj






and IDSchare equal






1113868111386811138681113868 E11113960 1113961 middot Pr E11113858 1113859

ge1 minus 1 qSend + 1( 1113857( 1113857( 1113857

qSend

qH1middot qH2

middot ε(4)












minus Pr E US 1113960 1113961

(5)



minusPr E US 1113960 1113961

2 (6)


Pr sk H2 gr1r2( 1113857

1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge

ε4

minusPr E US 1113960 1113961

2 (7)





and IDSjcan au-









) middot P +






r21 g


























eKRi) middot P +

Ppub)









Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References























































minus Pr E US 1113960 1113961

(5)



minusPr E US 1113960 1113961

2 (6)


Pr sk H2 gr1r2( 1113857

1113868111386811138681113868 r1 r2⟵Zlowastq1113960 1113961ge

ε4

minusPr E US 1113960 1113961

2 (7)





and IDSjcan au-









) middot P +






r21 g


























eKRi) middot P +

Ppub)









Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References




































































eKRi) middot P +

Ppub)









Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References















































Tabl

e6

Performance

comparison

Protocol

roun

ds

Com

putatio

ncost

Com

mun

ication

cost

Storagecost

Security

requ

irem

ents

Usersid

eServer

side

User

side

Server

side

C1

C2

C3

C4

C5

C6

C7

C8

C9

C10

C11

C12

C13

Odelu

etal[14]

3T

mtp

+4T

h+3T

sm

+2T

expasymp78

519

Tm

tp+4T

h+4T

exp

+T

sm

+Tmul

+2T

bpasymp15

303

832

672

1674

Heet

al

[15]

32T

sm+

Tp

a+2T

exp

+8T

h

asymp31

837

Tbp

+4T

exp

+2T

mul

+5T

hasymp5246

2240

1184

3424

Ours

23T

sm+2T

exp

+T

pa

+6T

hasymp45

354

2Tbp

+4T

exp

+T

sm+

Tp

a

+Tmul

+7T

hasymp11

107

896

672

1834

















CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References






























































CUirequire 1024 + 32+1024 + 160 2240 bits






gUiψUi

vUi bUi

1113882 1113883 which costs 3230



User 33582 32713 13405 0081 2249 0008 0056Server 4174 1665 1665 0011 0260 0001 0006



7 Conclusion


Data Availability




Acknowledgments


References
















































7 Conclusion


Data Availability




Acknowledgments


References















































efficienthierarchicalauthenticationprotocolfor...

Documents