A Provably-Secure ECC-Based Authentication Scheme for Wireless Sensor Networks

A smart-card-based user authentication scheme for wireless sensor networks (in short, a SUA-WSN scheme) is designed to restrict access to the sensor data only to users who are in possession of both a smart card and the corresponding password. While a significant number of SUA-WSN schemes have been suggested in recent years, their intended security properties lack formal definitions and proofs in a widely-accepted model. One consequence is that SUA-WSN schemes insecure against various attacks have proliferated. In this paper, we devise a security model for the analysis of SUA-WSN schemes by extending the widely-accepted model of Bellare, Pointcheval and Rogaway (2000). Our model provides formal definitions of authenticated key exchange and user anonymity while capturing side-channel attacks, as well as other common attacks. We also propose a new SUA-WSN scheme based on elliptic curve cryptography (ECC), and prove its security properties in our extended model. To the best of our knowledge, our proposed scheme is the first SUA-WSN scheme that provably achieves both authenticated key exchange and user anonymity. Our scheme is also computationally competitive with other ECC-based (non-provably secure) schemes.

Abstract: A smart-card-based user authentication scheme for wireless sensor networks (in short, a SUA-WSN scheme) is designed to restrict access to the sensor data only to users who are in possession of both a smart card and the corresponding password. While a significant number of SUA-WSN schemes have been suggested in recent years, their intended security properties lack formal definitions and proofs in a widely-accepted model. One consequence is that SUA-WSN schemes insecure against various attacks have proliferated. In this paper, we devise a security model for the analysis of SUA-WSN schemes by extending the widely-accepted model of Bellare, Pointcheval and Rogaway (2000). Our model provides formal definitions of authenticated key exchange and user anonymity while capturing side-channel attacks, as well as other common attacks. We also propose a new SUA-WSN scheme based on elliptic curve cryptography (ECC), and prove its security properties in our extended model. To the best of our knowledge, our proposed scheme is the first SUA-WSN scheme that provably achieves both authenticated key exchange and user anonymity. Our scheme is also computationally competitive with other ECC-based (non-provably secure) schemes.
Keywords: wireless sensor network; authentication scheme; authenticated key exchange; user anonymity; smart card; two-factor security

Introduction
As various sensors emerge and the related technologies advance, there has been a dramatic increase in the interest in wireless sensor networks (WSNs). Today, billions of physical, chemical and biological sensors are being deployed into various types of WSNs for numerous applications, including military surveillance, wildlife monitoring, vehicular tracking and healthcare diagnostics [1]. A major benefit of WSN systems is that they provide unprecedented abilities to explore and understand large-scale, real-world data and phenomena at a fine-grained level of temporal and spatial resolution. However, providing an application service in a WSN environment introduces significant security challenges to be addressed among the involved parties: users, sensors and gateways. One important challenge is to achieve authenticated key exchange between users and sensors (via the assistance of a gateway), thereby preventing illegal access to the sensor data and their transmissions. Authenticated key exchange in WSNs is more challenging to achieve than in traditional networks due to the sensor network characteristics, such as resource constraints, unreliable communication channel and unattended operation. Another important challenge is to provide user anonymity, which makes authenticated key exchange even harder. As privacy concern increases, user anonymity has become a major security property in WSN applications, as well as in many other applications, like mobile roaming services, anonymous web browsing, location-based services and e-voting. User authentication schemes for WSNs are designed to address these security challenges [2,3], and are a subject of active research in network security and cryptography.
Generally speaking, the design of cryptographic schemes (including user authentication schemes for WSNs) is error-prone, and their security analysis is time-consuming. The difficulty of getting a high level of assurance in the security of cryptographic schemes is well illustrated with examples of flaws discovered in many such schemes years after they were published; see, e.g., [4][5][6]. The many flaws identified in published schemes over the decades have promoted formal security analyses, which are broadly classified into two approaches [7,8]: the computer security approach and the computational complexity approach. The computer security approach places its emphasis on automated machine specification and analysis mostly in the Dolev-Yao adversarial model [9], where the underlying cryptographic primitives are often used in a black-box manner ignoring some of cryptographic details. The main problem with this automated approach is intractability and undecidability, as the adversary may exhibit a large set of possible behaviors, which leads to a state explosion. Cryptographic schemes proven secure in such a fashion could possibly be flawed, yielding a false positive result. In contrast, the computational complexity approach places its emphasis on deriving a polynomial-time reduction from the problem of breaking the scheme into another problem believed to be hard. A complete computational proof under a well-established cryptographic assumption provides a strong assurance that the security properties of the scheme are satisfied. Accordingly, it has been standard practice for the designers of cryptographic schemes to provide a proven reduction for the security of their schemes in a widely-accepted model [10,11]. Although these human-generated mathematical proofs are usually lengthy and complicated, they are certainly an invaluable tool for getting secure cryptographic schemes.
One important security requirement for SUA-WSN schemes is to ensure that only a user who is in possession of both a smart card and the corresponding password can pass the authentication check of the gateway and gain access to the sensor network and data. A SUA-WSN scheme that meets this requirement is said to achieve two-factor security. To properly capture the notion of two-factor security, the adversary against SUA-WSN schemes is assumed to be able to either extract the sensitive information in the smart card of a user possibly via a side-channel attack [28,29] or learn the password of the user through shoulder-surfing or by exploiting a malicious card reader, but not both. Clearly, there is no means to prevent the adversary from impersonating a user if both the password of the user and the information in the smart card are disclosed.
Despite the research efforts over the recent years, it remains a significant challenge to design a robust SUA-WSN scheme that carries a formal proof of security in a widely-accepted model. As summarized in Table 1, most of the published schemes either provide no formal analysis of security [3,[12][13][14]16,[20][21][22][24][25][26] or fail to achieve important security properties, such as mutual authentication, session-key security, user anonymity, two-factor security and resistance against various attacks [3,[13][14][15][16]19,[21][22][23][24][25][26][27]30,31]. Some schemes [2,[17][18][19]23,27] have been proven secure using a computer security approach, which, as mentioned above, suffers from intractability and undecidability and could possibly give a false positive result. To the best of our knowledge, Chen and Shih's scheme [15] is the only SUA-WSN scheme that was proven secure using a computational complexity approach. However, Chen and Shih's scheme does not provide key exchange functionality, but only focuses on mutual authentication (and thus, inherently, cannot carry a proof of authenticated key exchange). Moreover, the security model used for this scheme captures neither the user anonymity property nor the notion of two-factor security. No key-exchange functionality Yeh et al. [16] Heuristic arguments Failures of mutual authentication and forward secrecy [30] Kumar et al. (2011) [2] Computer security approach Vulnerability to a node capture attack [24] Kumar et al. (2012) [17] Computer security approach Failures of authenticated key exchange, user anonymity and two-factor security [3,23] Yoo et al. [18] Computer security approach Vulnerability to a man-in-the-middle attack [22] Vaidya et al. [19] Computer security approach Failure of user authentication [25] Xue et al. [20] Heuristic arguments Vulnerability to a privileged insider attack [26] Shi and Gong [21] Heuristic arguments Failures of authenticated key exchange and two-factor security [ The contributions of this paper are two-fold: (1) We present a security model for the analysis of SUA-WSN schemes. Our security model is derived by extending the widely-accepted model of Bellare, Pointcheval and Rogaway [10] to incorporate into it the user anonymity property and the notion of two-factor security. Notice that the original Bellare-Pointcheval-Rogaway (BPR) model for authenticated key exchange (AKE) already captures insider attacks, offline dictionary attacks and other common attacks. We refer readers to [32] to understand how a key exchange scheme that is vulnerable to an offline dictionary attack can be rendered insecure in the BPR model. Our extension of the BPR model provides two security definitions, one for the AKE security and one for the user anonymity property, and both definitions capture the notion of two-factor security. Security properties like authentication, session-key security, perfect forward secrecy, known-key security and resistance against insider attacks and offline dictionary attacks are implied by the AKE security. (2) We propose the first SUA-WSN scheme whose AKE security, as well as user anonymity are formally proven in a widely-accepted model. Our scheme employs elliptic curve cryptography (ECC) to provide perfect forward secrecy, but differs from other ECC-based schemes [16,21,27] in that it provides user anonymity. We prove the security properties of our scheme in the random oracle model under the elliptic curve computational Diffie-Hellman (ECCDH) assumption. We also show that our provably-secure scheme is computationally competitive compared with other ECC-based (non-provably secure) schemes. Table 2 shows the basic notation that is used consistently throughout this paper. Table 2. Basic notation.

Symbol Description
Session key A Probabilistic polynomial-time adversary L(·), H(·), F (·) Cryptographic hash functions Enc k (·)/Dec k (·) Symmetric encryption/decryption under key k MAC Message authentication code Mac k (·)/Ver k (·) MAC generation/verification under key k ⊕ Bitwise exclusive-or (XOR) operation String concatenation operation {0, 1} n Bit strings of length n The remainder of this paper is structured as follows. Section 2 describes our extended security model for the analysis of SUA-WSN schemes. Section 3 presents the proposed SUA-WSN scheme along with cryptographic primitives on which the security of the scheme relies and then compares our scheme with other ECC-based schemes, both in terms of efficiency and security. Section 4 provides proofs of the user anonymity property and the AKE security for our scheme. Section 5 concludes the paper, summarizing our result and presenting some interesting future work.

Our Extended Security Model for SUA-WSN Schemes
In this section, we present a security model extended from the BPR model [10] to capture the security properties of SUA-WSN schemes.
Participants and long-lived keys. Let GW be the gateway and SRS and URS be the sets of all sensors and users, respectively, registered with GW . Let E = {GW } ∪ SRS ∪ URS. We identify each entity E ∈ E by a string, and interchangeably use E and ID E to refer to this identifier string. To properly capture the user anonymity property, we assume that: (1) each user U R ∈ URS has its pseudo identity P ID U R (as well as its true identity ID U R ); and (2) the adversary A is given only P ID U R , but not ID U R . A user U R may run multiple sessions of the authentication and key exchange protocol of the scheme (hereafter simply called the protocol), either serially or concurrently, to anonymously establish a session key with a sensor SR ∈ SRS via the assistance of the gateway GW . Therefore, at any given time, there could be multiple instances of the entities U R, SR and GW . We use Π i E to denote instance i of entity E ∈ E. Instances of U R and SR are said to accept when they compute a session key in an execution of the protocol. We denote the session key of Π i E by sk i E . Before the protocol is ever executed, • GW generates its master secret(s), issues a smart card to each U R ∈ URS and establishes a shared key with each SR ∈ SRS; and • each U R ∈ URS chooses its private password pw U R from the set of all possible passwords.
Partnering. Informally, we say that two instances are partners (or partnered) if they participate together in a protocol session and establish a shared key. Formally, the partner relationship between instances is defined in terms of the notion of the session identifier. A session identifier (sid) is literally an identifier of a protocol session and is typically defined as a function of the messages exchanged in the session. Let Adversary capabilities. The adversary A is a probabilistic polynomial-time (PPT) machine, which has full control of all communications between entities. More specifically, the PPT adversary A is able to: (1) eavesdrop, modify, intercept, delay and delete the protocol messages; (2) ask entities to open up access to session keys and long-term keys; and (3) extract the sensitive information on the smart cards of users. These capabilities of A are modeled using a pre-defined set of oracles to which A is allowed to ask queries. We assume that, when making oracle queries directed at (instances of) U R, the adversary A uses the pseudo identity P ID U R , since it does not know the true identity ID U R . The oracle queries are described as follows: This query models passive eavesdropping on the protocol messages. It prompts a protocol execution among the instances Π i U R , Π j SR and Π k GW and returns the transcript of the protocol execution to A. • Send(Π i E , m): This query sends a message m to an instance Π i E , modeling active attacks against the protocol. Upon receiving m, the instance Π i E proceeds according to the protocol specification. Any message generated by Π i E is output and given to A. A query of the form Send(Π i U R , start) prompts Π i U R to initiate a protocol session. and returns the information stored in the smart card of U R.
• TestAKE(Π i E ): This query is used for defining the indistinguishability-based security of session keys. The output of the query depends on a random bit b chosen by the oracle; in response to the query, either the real session key sk i E if b = 1 or a random key drawn from the session-key space if b = 0 is returned to A. • TestID(U R): This query is used for determining whether the protocol provides user anonymity or not. Depending on a random bit b chosen by the oracle, A is given either the identity actually used for U R in the protocol sessions (when b = 1) or a random identity drawn from the identity space (when b = 0).
SR and GW are said to be corrupted when they are asked a CorruptLL query, while U R is considered as corrupted if it has been asked both CorruptLL and CorruptSC queries.
Authenticated key exchange (AKE). We define the AKE security of the authentication and key exchange protocol P by using the notion of freshness of instances. Informally, a fresh instance refers to an instance whose session key should be kept indistinguishable from a random key to the adversary A, and an unfresh instance refers to an instance that holds a session key that can be distinguishable from a random key by trivial means. A formal definition of freshness follows: Definition 1 (Freshness). An instance Π i E is fresh unless one of the following occurs: The AKE security of the protocol P is defined in the context of the following two-phase experiment: Let SuccAKE 0 be the event that A succeeds in the experiment ExpAKE 0 . Let Adv AKE P (A) denote the advantage of A in breaking the AKE security of protocol P and be defined as Adv AKE Definition 2 (AKE security). The authentication and key exchange protocol P is AKE-secure if Adv AKE P (A) is negligible for any PPT adversary A.
User anonymity. The AKE security does not imply user anonymity. In other words, an authentication and key exchange protocol that does not provide user anonymity may still be rendered AKE secure.
Hence, a new, separate definition is necessary to capture the user anonymity property. Our definition of user anonymity is based on the notion of cleanness.

Definition 3 (Cleanness).
A user U R ∈ URS is clean unless one of the following occurs: Note that this definition of cleanness does not impose any restriction on asking a CorruptLL query to SR. This reflects our objective to achieve user anonymity even against the sensor SR. Now, consider the following experiment to formalize the user anonymity property: Phase 1. A freely asks any oracle queries, except that:

1.
A is not allowed to ask queries of the TestAKE oracle.

2.
A is not allowed to ask the TestID(U R) query if the user U R is not clean. 3. A is not allowed to ask CorruptLL and CorruptSC queries against GW and U R if it has already asked the TestID(U R) query.
Phase 2. When Phase 1 is over, A outputs a bit b as a guess on the random bit b selected by the TestID Let SuccID 0 be the event that A succeeds in the experiment ExpID 0 . Then, we define the advantage of A in attacking the user anonymity of protocol P as Adv ID Definition 4 (User anonymity). The authentication and key exchange protocol P provides user anonymity if Adv ID P (A) is negligible for any PPT adversary A.

The Proposed SUA-WSN Scheme
This section presents our ECC-based user authentication scheme for wireless sensor networks. Our scheme consists of three phases: the registration phase, the authentication, the key exchange phase and the password update phase. We begin by describing the cryptographic primitives on which the security of our scheme relies.

Preliminaries
Elliptic curve computational Diffie-Hellman (ECCDH) problem. Let G be an elliptic curve group of prime order q. Typically, G will be a subgroup of the group of points on an elliptic curve over a finite field. Let P be a generator of G. Informally stated, the ECCDH problem for G is to compute xyP ∈ G when given two elements (xP, yP ) ∈ G 2 , where x and y are chosen at random from Z * q . We say that the ECCDH assumption holds in G if it is computationally intractable to solve the ECCDH problem for G. More formally, we define the advantage of an algorithm A in solving the ECCDH problem for G as Adv ECCDH Symmetric encryption schemes. A symmetric encryption scheme Γ is a pair of efficient algorithms (Enc, Dec) where: (1) the encryption algorithm Enc takes as input an -bit key k and a plain text message m and outputs a ciphertext c; and (2) the decryption algorithm Dec takes as input a key k and a ciphertext c and outputs a message m. We require that Dec k (Enc k (m)) = m holds for all k ∈ {0, 1} and all m ∈ M, where M is the plain text space. For an eavesdropping adversary A against Γ and for an integer n ≥ 1 and a random bit b ∈ R {0, 1}, consider the following indistinguishability experiment:

Description of the Scheme
The public system parameters for our scheme include: 1. an elliptic curve group G with a generator P of prime order q, 2. a symmetric encryption scheme Γ = (Enc, Dec), 3. a MAC scheme ∆ = (Mac, Ver), and 4. three hash functions L, H and F .
We assume that these public system parameters are fixed during an initialization phase and are known to all parties in the network. As part of the initialization, the gateway GW chooses two master keys x, y ∈ Z * q , computes its public key X = xP and establishes a shared secret key k GS = L(ID SR y) with each sensor SR.

Registration Phase
A user U R registers itself with the gateway GW as follows: 1. U R chooses its identity ID U R and password pw U R freely and submits the identity ID U R to GW via a secure channel. 2. GW computes SID U R = Enc L(x) (ID U R ID GW ) and issues U R a smart card loaded with {SID U R , X, ID GW , G, P , Γ, ∆, L, H, F }. (We assume that q is implicit in G.)

U R replaces SID
This phase of user registration is depicted in Figure 1.

Authentication and Key Exchange Phase
U R needs to perform this phase with SR and GW whenever it wishes to gain access to the sensor network and data. The steps of the phase are depicted in Figure 2 and are described as follows:

U R SR GW
inputs ID UR and pw UR retrieves the timestamp T 1 a ∈ R Z * q , A = aP Step 1. U R inserts its smart card into a card reader and inputs its identity ID U R and password pw U R . Given ID U R and pw U R , the smart card retrieves the current timestamp T 1 , selects a random a ∈ Z * q and computes: After the computations, the smart card sends the message M 1 = ID GW , T 1 , A, C U R to the sensor SR.
Step 2. Upon receiving M 1 , SR first checks the freshness of T 1 . If T 1 is not fresh, SR aborts the protocol. Otherwise, SR retrieves the current timestamp T 2 , chooses a random b ∈ Z * q and computes B and δ SR as follows: Then, SR sends the message M 2 = ID SR , T 2 , B, δ SR along with M 1 to GW .
Step 3. After having received M 1 and M 2 , GW verifies that: (1) T 1 and T 2 are fresh; and (2) Ver k GS (ID SR T 2 B M 1 , δ SR ) = 1. If any of the verifications fails, GW aborts the protocol. Otherwise, GW computes K U G = xA and k U G = L(T 1 A K U G ), decrypts C U R with key k U G and checks if the decryption produces the same ID SR as contained in M 2 . GW aborts if the check fails. Otherwise, GW decrypts SID U R with key L(x) and checks if this decryption yields the same ID U R as produced through the decryption of C U R . If only the two IDs match, GW computes: Step 4. When receiving M 3 and M 4 , SR verifies that Ver k GS (ID GW ID SR B A, δ SR GW ) = 1. If the verification fails, SR aborts the protocol. Otherwise, SR forwards the message M 3 to U R and computes the shared secret K SU = bA and the session key sk = H(A B K SU ).
Step 5. Upon receiving M 3 , U R checks if Ver k U G (ID GW ID SR A B, δ U R GW ) = 1. U R aborts the protocol if the check fails. Otherwise, U R computes K SU = aB and sk = H(A B K SU ).
Since K SU = bA = aB = abP , U R and SR will compute the same session key sk = H(A B abP ) in the presence of a passive adversary.

Password Update Phase
One of the general guidelines to get better password security is to ensure that passwords are changed at regular intervals. Our scheme allows users to update their passwords at will.
1. U R inserts his smart card into a card reader and enters the identity ID U R , the current password pw U R and the new password pw U R . Table 3 compares our scheme with other ECC-based SUA-WSN schemes in terms of the computational requirements, the AKE security and user anonymity. For fairness of comparison, SUA-WSN schemes that use only lightweight symmetric cryptographic primitives are not considered in the table since they cannot achieve forward secrecy, but have a clear efficiency advantage over the ECC-based schemes.

Performance and Security Comparison
The scalar-point multiplication and map-to-point operation are much more expensive than the other operations considered in the table, such as symmetric encryption/decryption, MAC generation/verification and hash function evaluation. The total number of modular exponentiations and map-to-point operations required in Yeh et al.'s scheme [16] is 10, while the number is reduced to six in the other schemes. Therefore, the overall performance of Yeh et al.'s scheme is not as good as those of the other schemes. From the viewpoint of the computational burden on the sensor SR, our scheme is competitive with Choi et al.'s scheme [27] and Shi and Gong's scheme [21], since a MAC generation/verification is almost as fast as a hash function evaluation. According to Crypto++ benchmarks, HMACwith SHA-1 takes 11.9 cycles per byte, while SHA-1 takes 11.4 cycles per byte (see Table 4). Another point we wish to make is that a hash function evaluation with a long input string may not be faster than a symmetric encryption with a relatively short plain text input, though the opposite is generally true for the same length of inputs. For example, the computation of the ciphertext C U R in our scheme is unlikely to be more expensive than the computations of the hash values β, γ and δ, which are defined in both Choi et al.'s scheme and Shi and Gong's scheme. In this sense, it is fair to say that our scheme is competitive also in terms of the overall computational cost.
As is obvious from the table, our scheme is the only one that provides user anonymity (regardless of whether it is proven or not). This explains how the other schemes could have been designed without using any form of encryption algorithm. Choi et al. [27] prove that their scheme achieves the AKE security, but only using a computer security approach. In contrast, we use a computational complexity approach in proving both the AKE security and the user anonymity property.

Security Results
Let P denote the authentication and key exchange protocol of our scheme depicted in Figure 2. This section proves that the protocol P is AKE-secure and provides user anonymity (against any party other than the gateway GW ); see Section 2 for the formal definitions of the AKE security and the user anonymity property.

Proof of AKE Security
Theorem 1. Our authentication and key exchange protocol P is AKE-secure in the random oracle model under the ECCDH assumption in G and the security of the MAC scheme ∆.
Proof. Assume a PPT adversary A against the AKE security of the protocol P . We prove the theorem by making a series of modifications to the original experiment ExpAKE 0 , bounding the effect of each change in the experiment on the advantage of A and ending up with an experiment where A has no advantage (i.e., A has a success probability of 1/2). Let SuccAKE i denote the event that A correctly guesses the random bit b selected by the TestAKE oracle in experiment ExpAKE i . Let t i be the maximum time required to perform the experiment ExpAKE i involving the adversary A.
Experiment ExpAKE 1 . In this first modified experiment, the simulator answers the queries to the L oracle as follows: Simulation of the L oracle For each query of L on a string m, the simulator first checks if an entry of the form (m, l) is in a list called LList, which is maintained to store input-output pairs of L. If it is, the simulator outputs l as the answer to the hash query. Otherwise, the simulator chooses a random -bit string str, answers the query with str and adds the entry (m, str) to LList. This is the only difference between ExpAKE 1 and ExpAKE 0 ; the simulator answers all other oracle queries of A as in the original experiment ExpAKE 0 . Then, since ExpAKE 1 is perfectly indistinguishable from ExpAKE 0 , it follows that: Experiment ExpAKE 2 . In this experiment, we modify the computations of X and A as follows: The ExpAKE 2 modification • The simulator chooses two random elements Y, Y ∈ G and sets X = Y .
• For every fresh instance, the simulator chooses a random r ∈ Z * q and sets A = rY . For other instances, the simulator computes A as in experiment ExpAKE 1 .
Due to the modification, the simulator does not know the master secret x. The simulator aborts the experiment if A makes the CorruptLL(GW ) query. However, in this case, A cannot gain any advantage, as no instance is considered fresh. In this experiment, the simulator simply sets each k U G to a random -bit string, since it does not know the ephemeral secret a and, thus, cannot compute the secret K U G . This means that the success probability of A may be different between ExpAKE 1 and ExpAKE 2 if it asks an L(T 1 A K U G ) query. However, this difference is bounded by Claim 2.
, where q L is the number of queries made of the L oracle.
Proof. We prove the claim via a reduction from the ECCDH problem, which is believed to be hard, to the problem of distinguishing two experiments ExpAKE 1 and ExpAKE 2 . Assume that the success probability of A is non-negligibly different between ExpAKE 1 and ExpAKE 2 . Then, we construct an algorithm A ECCDH that solves the ECCDH problem in G with a non-negligible advantage. The objective of A ECCDH is to compute and output the value W = uvP ∈ G when given an ECCDH-problem instance (U = uP, V = vP ) ∈ G. A ECCDH runs A as a subroutine while simulating all of the oracles on its own.
A ECCDH handles all of the oracle queries of A as specified in experiment ExpAKE 2 , but using U and V in place of X and Y . When A outputs its guess b , A ECCDH chooses an entry of the form (T 1 A K, l) at random from LList and terminates outputting K/r. >From the simulation, it is not hard to see that A ECCDH outputs the desired result W = uvP with probability at least 1/q L if A makes a L(T 1 A K U G ) query for some fresh user instance. This completes Claim 2.
Before proceeding further, we define the event Forge as follows: Forge: The event that the adversary A asks a Send query of the form Send(Π i E , E msg) for uncorrupted E and E , such that msg contains a MAC forgery.
Experiment ExpAKE 3 . This experiment is different from ExpAKE 2 in that it is aborted and the adversary A does not succeed if the event Forge occurs. Then, we have: , where q send is the number of queries made for the oracle Send.
Proof. Assume that the event Forge occurs with a non-negligible probability. Then, we construct an algorithm A forge who generates, with a non-negligible probability, a forgery against the MAC scheme ∆. The algorithm A forge is given access to the Mac k (·) and Ver k (·) oracles. The objective of A forge is to produce a message/MAC pair (m, δ), such that: (1) Ver k (m, δ) = 1; and (2) δ has not been output by the oracle Mac k (·) on input m.
Let n k be the total number of MAC keys used in the sessions initiated via a Send query. Clearly, n k ≤ q send . A forge begins by selecting a random i ∈ {1, . . . , n k }. Let k i denote the i − th key among all of the n k MAC keys and Send i be any Send query that is expected to be answered and/or verified using k i . A forge runs A as a subroutine and answers the oracle queries of A as in experiment ExpAKE 2 , except that: it answers all Send i queries by accessing its Mac k (·) and Ver k (·) oracles. As a result, the i − th MAC key k i is not used during the simulation. If Forge occurs against an instance who holds k i , A forge halts and outputs the message/MAC pair generated by A as its forgery. Otherwise, A forge terminates with a failure indication.
If the guess i is correct, then the simulation is perfect and A forge achieves its goal. Namely, Adv Experiment ExpAKE 4 . We next modify the way of answering queries of the H oracle as follows: Simulation of the H oracle For each H query on a string m, the simulator first checks if an entry of the form (m, h) is in a list called HList, which is maintained to store input-output pairs of H. If it is, h is the answer to the hash query. Otherwise, the simulator chooses a random κ-bit string str, answers the query with str and adds the entry (m, str) to HList.
Other oracle queries of A are handled as in experiment ExpAKE 3 . Since ExpAKE 4 is perfectly indistinguishable from ExpAKE 3 , it is clear that: Experiment ExpAKE 5 . We finally modify the experiment so that, for each fresh instance of SR, the computation of B is done as follows: The ExpAKE 5 modification The simulator selects a random r ∈ Z * q and computes B = r X.
The simulator sets the session key sk to a random κ-bit string for each pair of fresh instances, as it cannot compute K SU . Accordingly, the success probability of A may be different between ExpAKE 4 and ExpAKE 5 if it asks an H(A B K SU ) query. Claim 5 below bounds the difference: where q H is the number of queries made of the H oracle.
Proof. Suppose that the difference in the advantage of A between SuccAKE 4 and SuccAKE 5 is non-negligible. Then, from A, we construct an algorithm A ECCDH that solves the ECCDH problem in G with a non-negligible advantage. The objective of A ECCDH is to compute and output the value W = uvP ∈ G when given an ECCDH-problem instance (U = uP, V = vP ) ∈ G.
A ECCDH runs A as a subroutine while answering all of the oracles queries by itself. A ECCDH handles the queries of A as specified in the ExpAKE 5 experiment, but using U and V in place of X and Y . When A terminates and outputs its guess b , A ECCDH selects an entry of the form (A B K, h) at random from HList and outputs K/rr . If A makes a H(A B K SU ) query, A ECCDH outputs the desired result W = uvP with probability at least 1/q H . This completes Claim 5.
In experiment ExpAKE 5 , the adversary A obtains no information on the random bit b selected by the TestAKE oracle, since the session keys of all fresh instances are selected uniformly at random from G. Therefore, it follows that Pr P,A [SuccAKE 5 ] = 1/2. This result combined with Claims 1-5 completes the proof of Theorem 1.

Proof of User Anonymity
Theorem 2. The authentication and key exchange protocol P provides user anonymity in the random oracle model under the ECCDH assumption in G and the security of the symmetric encryption scheme Γ.
Proof. Assume a PPT adversary A against the user anonymity property of the protocol P . As in the proof of Theorem 1, we make a series of modifications to the original experiment ExpID 0 , bounding the difference in the success probability of A between two consecutive experiments and then ending up with an experiment where A has a success probability of 1/2 (i.e., A has no advantage). We use SuccID i to denote the event that A correctly guesses the random bit b selected by the TestID oracle in experiment ExpID i . Let t i be the maximum time required to perform the experiment ExpID i involving the adversary A.
Experiment ExpID 1 . This experiment is different from ExpID 0 in that the random oracle L is simulated as follows: Simulation of the L oracle For each query to L on a string m, the simulator first checks if an entry of the form (m, l) is in a list called LList, which is maintained to store input-output pairs of L. If it is, the simulator outputs l as the answer to the hash query. Otherwise, the simulator chooses a random -bit string str, answers the query with str and adds the entry (m, str) to LList.
Other oracle queries of A are answered as in the original experiment ExpID 0 . Then, since L is a random oracle, ExpID 1 is perfectly indistinguishable from ExpID 0 , and Claim 6 immediately follows. Experiment ExpID 2 . Here, we modify the experiment so that A is computed as follows: The ExpID 2 modification • The simulator chooses a random exponent y ∈ Z * q and computes Y = yP . • For each instance of users, the simulator chooses a random r ∈ Z * q and sets A = rY .
As a result of the modification, each K U G is set to xyrP for some random r ∈ Z * q . Since the view of A is identical between ExpID 2 and ExpID 1 , it follows that: Experiment ExpID 3 . In this experiment, we modify the computations of X and A as follows: The ExpID 3 modification • The simulator chooses two random elements Y, Y ∈ G and sets X = Y .
• For instances of every clean user, the simulator chooses a random r ∈ Z * q and sets A = rY . For other instances, the simulator computes A as in experiment ExpID 2 .
As a result, the simulator does not know the master secret x. The simulator aborts the experiment if A makes the CorruptLL(GW ) query. However, in this case, A cannot gain any advantage, as no user is considered clean (see Definition 3). In this experiment, the simulator simply sets each k U G to a random -bit string, since it does not know the ephemeral secret a and, thus, cannot compute the secret K U G . This means that the success probability of A may be different between ExpID 2 and ExpID 3 if it asks an L(T 1 A K U G ) query. However, this difference is bounded by Claim 8.
, where q L is the number of queries made to the L oracle.
Proof. We prove the claim via a reduction from the ECCDH problem, which is believed to be hard, to the problem of distinguishing two experiments ExpID 2 and ExpID 3 . Assume that the success probability of A is non-negligibly different between ExpID 2 and ExpID 3 . Then, we construct an algorithm A ECCDH that solves the ECCDH problem in G with a non-negligible advantage. The objective of A ECCDH is to compute and output the value W = uvP ∈ G when given an ECCDH-problem instance (U = uP, V = vP ) ∈ G. A ECCDH runs A as a subroutine while simulating all of the oracles on its own.
A ECCDH handles all of the oracle queries of A as specified in experiment ExpID 3 , but using U and V in place of X and Y . When A outputs its guess b , A ECCDH chooses an entry of the form (T 1 A K, l) at random from LList and terminates outputting K/r. >From the simulation, it is clear that A ECCDH outputs the desired result W = uvP with a probability of at least 1/q L if A makes a L(T 1 A K U G ) query for some clean U R ∈ URS. This completes Claim 8.
Experiment ExpID 4 . We finally modify the experiment so that, for each clean user U R ∈ URS, a random identity ID U R drawn from the identity space is used in place of the true identity ID U R in generating C U R . Proof. We prove the claim by constructing an eavesdropper A eav who attacks the indistinguishability of Γ with advantage equal to Pr P,A [SuccID 4 ] − Pr P,A [SuccID 3 ] . A eav begins by choosing a random bit b ∈ {0, 1}. Then, A eav invokes the adversary A and answers all of the oracle queries of A as in experiment ExpID 3 , except that, for each clean user U R ∈ URS, it generates C U R by accessing its own encryption oracle as follows: A eav outputs (SID U R ID U R ID SR , SID U R ID U R ID SR ) as its plain text pair in the indistinguishability experiment Exp IND−EAV Γ . Let c be the ciphertext received in return for the plain text pair. A eav sets C U R equal to the ciphertext c.
That is, A eav sets C U R to the encryption of either SID U R ID U R ID SR or SID U R ID U R ID SR . Now, when A terminates and outputs its guess b , A eav outputs one if b = b , and zero otherwise. Then, it is clear that: • The probability that A eav outputs one when the first plain texts are encrypted in the experiment ] . Note that in the simulation, A eav eavesdrops at most q send encryptions, which is polynomial in the security parameter . This completes the proof of Claim 9.
In the experiment ExpID 4 , the adversary A cannot gain any information on the random bit b selected by the TestID oracle, because the identities of all clean users are chosen uniformly at random from the identity space. It, therefore, follows that Pr P,A [SuccID 4 ] = 1/2. This result combined with Claims 6-9 yields the statement of Theorem 2.

Concluding Remarks
We have extended the widely-accepted security model of Bellare, Pointcheval and Rogaway [10] to formally capture the security requirements for SUA-WSN schemes-smart-card-based user authentication schemes for wireless sensor networks. Our extended model provides formal definitions of the AKE security and the user anonymity property, while capturing the notion of two-factor security. We have also proposed a new SUA-WSN scheme and proved that it achieves user anonymity, as well as the AKE security in the extended model. To the best of our knowledge, our scheme is the first SUA-WSN scheme that is proven secure in a widely-accepted model.
We believe that our result lays a solid foundation for designing provably-secure two-factor authentication schemes for mobile roaming services, where user anonymity, as well as authenticated key exchange are also of critical security importance; see, e.g., the recent work of He et al. [33,34]. A concrete design of such a provably-secure roaming authentication scheme would be interesting future work. We also leave it as future work to present a formal treatment of security properties for three-factor authentication schemes [35].