Post-Quantum Secure Multi-Factor Authentication Protocol for Multi-Server Architecture

Abstract

The multi-factor authentication (MFA) protocol requires users to provide a combination of a password, a smart card and biometric data as verification factors to gain access to the services they need. In a single-server MFA system, users accessing multiple distinct servers must register separately for each server, manage multiple smart cards, and remember numerous passwords. In contrast, an MFA system designed for multi-server architecture allows users to register once at a registration center (RC) and then access all associated servers with a single smart card and one password. MFA with an offline RC addresses the computational bottleneck and single-point failure issues associated with the RC. In this paper, we propose a post-quantum secure MFA protocol for a multi-server architecture with an offline RC. Our MFA protocol utilizes the post-quantum secure Kyber key encapsulation mechanism and an information-theoretically secure fuzzy extractor as its building blocks. We formally prove the post-quantum semantic security of our MFA protocol under the real or random (ROR) model in the random oracle paradigm. Compared to related protocols, our protocol achieves higher efficiency and maintains reasonable communication overhead.

1. Introduction

With the rapid development of network technology, online services such as information inquiry, social entertainment, business transactions, and government affair handling have become integral to daily life. However, as more sensitive data are transmitted over public channels, ensuring secure access to these services has become increasingly critical. Remote authentication protocols are essential to prevent unauthorized access, eavesdropping, and tampering by malicious entities. Traditional single-factor or two-factor authentication mechanisms [1,2] are no longer sufficient due to vulnerabilities such as password guessing and lost smart card attacks [3]. As a result, multi-factor authentication (MFA) protocols [4] combining passwords, smart cards, and biometric data have been widely adopted for stronger security.

Most existing MFA [5,6,7] protocols, however, are designed for single-server architectures, requiring users to register separately with each service provider—a cumbersome process that leads to significant management overhead. To address this, multi-server MFA protocols have been proposed [8], allowing users to access multiple servers after a single registration. The multi-sever MFA protocol consists of a set of users, a set of service severs and a registration center (RC), as shown in Figure 1. All users and service severs need to register on the RC. After registration, the user can access different service servers with the same password, smart card and biometric data.

Some multi-sever protocols employ an online registration center (RC). The integration of an RC to authenticate each user–server pair increases communication overhead on the channel, introduces computational bottlenecks, and creates single-point failure issues at the RC.

To address the computational bottleneck problem of the online RC, a multi-server MFA protocol using an offline RC was proposed [9]. As shown in Figure 2, in an offline RC architecture, the RC distributes long-term information to both the user and the service server during the registration phase. This enables the two entities to mutually authenticate each other without involving the RC over a public channel. Offline RC-based solutions often lack support for post-quantum security or suffer from other vulnerabilities, such as denial-of-service (DoS) attacks, lack of user anonymity, or inefficient revocation mechanisms.

Given the threat posed by quantum computing to traditional cryptographic schemes like elliptic curve cryptography (ECC), it is crucial to develop MFA protocols that are not only efficient and secure in a multi-server environment but also resilient to quantum attacks. Despite numerous efforts in this domain, there remains a gap: no existing protocol simultaneously supports multi-server architectures, employs an offline RC, ensures user anonymity, and guarantees post-quantum security. This work aims to fill this gap by proposing a novel lattice-based MFA protocol tailored for multi-server environments with an offline RC, addressing both current and future security challenges.

Our Contributions

In this paper, we propose a multi-factor authentication protocol that leverages a fuzzy extractor (FE) and a Kyber key encapsulation mechanism (KEM). Our protocol ensures post-quantum security, supports an offline registration center (RC), and operates effectively in a multi-server architecture.

• In our protocol, both users and servers must initially register with the RC via a secure channel. After registration, any user can conduct mutual authentication with registered servers over an insecure channel, effectively negotiating a secure session key even when the RC is offline. Furthermore, our protocol supports users in updating their password and revoking their smart cards as needed.
• To achieve post-quantum security, our MFA protocol incorporates the post-quantum secure Kyber KEM and an information-theoretically secure fuzzy extractor as core components. The fuzzy extractor addresses minor variations in biometric inputs and prevents the storage of raw biometric data on the smart card, thereby reducing the risk of potential information leakage.
• We have proven the semantic security of our MFA protocol under the ROR (real or random) model. Furthermore, we conducted a comparative analysis with related protocols, demonstrating that our protocol achieves higher efficiency while maintaining reasonable communication overhead.

2. Related Work

Since Lamport’s pioneering one-time password protocol in 1981 [1], authentication mechanisms have evolved significantly. The introduction of two-factor authentication combining passwords and smart cards improved resistance against direct password guessing [2,10]. However, these protocols remained vulnerable to stolen verifier and smart card loss attacks. To enhance security further, researchers introduced biometrics as a third factor, giving rise to multi-factor authentication (MFA) protocols [11,12,13,14].

A major limitation of early MFA protocols was their design for single-server environments, where users must re-register with each server individually an inconvenient and insecure approach when managing multiple accounts. To mitigate this, multi-server MFA protocols were developed [5,6,7], enabling a single registration to grant access to multiple services. Kumari et al. [8] proposed a protocol using elliptic curve cryptography (ECC) and biohashing for multi-server systems, but Feng et al. [15] later exposed its vulnerabilities, including susceptibility to man-in-the-middle attacks and lack of user anonymity. Barman et al. [16] proposed a remote authentication protocol using fuzzy commitment, but this protocol cannot prevent insider attacks, and the smart card revocation phase is insecure. Barman subsequently proposed an improved protocol [17] to address these issues. Unfortunately, the new protocol does not ensure user anonymity. Analyzing the vulnerabilities in Barman et al.’s protocol [17], Ali et al. [18] proposed an enhanced three-factor symmetric key authentication protocol for multi-server environments. However, this improved protocol exhibits excessive computational overhead and fails to achieve post-quantum security. Yoon et al. [4] introduced another ECC-based solution, but its reliance on an online RC led to increased communication overhead and vulnerability to single-point failures.

To overcome the limitations of an online RC, several protocols adopted an offline RC model, where the RC distributes long-term keys during registration, enabling mutual authentication between users and servers without involving the RC in every session. Chuang et al. [9] proposed a lightweight anonymous multi-server MFA protocol using an offline RC and employing only nonce and hash functions. Mishra et al. [19] demonstrated that Chuang’s protocol [9] is unable to defend against user impersonation, denial of service (DoS) attacks and server spoofing attacks. Then, they proposed an improved protocol that overcomes the weaknesses of the original protocol while retaining its advantages. Chaturvedi et al. [20] proposed a biometric-based protocol that utilizes biohashing, modular exponentiation, and hash functions, along with an offline RC mechanism. Unfortunately, Chaturvedi’s protocol [20] fails to offer user anonymity and smart card revocation capabilities. Luo et al. [21] and Shukla et al. [22] presented provably secure ECC-based protocols for multi-server settings with an offline RC; however, they remain vulnerable in the face of quantum threats.

As quantum computing advances threaten classical cryptographic algorithms, lattice-based cryptography has emerged as a promising alternative. Lattice-based problems such as Learning With Errors (LWE) and Ring-LWE offer strong hardness guarantees even under quantum attacks [23,24,25,26]. Several recent works have explored lattice-based authentication protocols. For instance, Bahache et al. [27] proposed a Kyber-based framework for cloud healthcare applications, while Ahmad et al. [28] and Basker et al. [29] introduced post-quantum MFA protocols for medical IoT systems. However, none of these protocols are suitable for multi-server environments with an offline RC.

3. Preliminaries

This section introduces definitions and concepts that may be utilized in this paper.

3.1. Notation

In this paper, we use bold uppercase letters to represent matrices and bold lowercase letters to represent vectors. The transpose of a is written as ${\mathbf{a}}^{\top }$. “PPT” is short for probabilistic polynomial time.

3.2. Module-LWE

Definition 1

(Binomial Distribution). The centered binomial distribution $B_{\eta }$ for some integer η is defined as follows: Sample ${\left\{(a_i,b_i)\right\}}_{i=1}^{\eta }\leftarrow {\left({\{0,1\}}^2\right)}^{\eta }$ and output ${\sum }_{i=1}^{\eta }(a_i-b_i)$.

If v is an element of R, $v\leftarrow {\beta }_{\eta }$ means that $v\in R$ is generated from a distribution where each of its coefficients is generated according to ${\beta }_{\eta }$.

Definition 2

(Module-LWE). Let n be a positive integer. The Module-LWE hard problem is to distinguish uniform samples $({\mathbf{a}}_i,b_i)\leftarrow R_q^n\times R_q$ from samples $({\mathbf{a}}_i,b_i)\leftarrow R_q^n\times R_q$, where ${\mathbf{a}}_i\leftarrow R_q^n$ is uniform and $b_i={\mathbf{a}}_i^{\top }s+e_i$, with $s\leftarrow {\beta }_{\eta }^n$ being common to all samples and $e_i\leftarrow {\beta }_{\eta }$ being fresh for every sample. More precisely, the advantage of an adversary $\mathcal{A}$ solving M-LWE problem is defined as

$$\begin{array}{ccc}\hfill Ad{v}_{m,n,\eta }^{\mathsf{mlwe}}\left(\mathcal{A}\right)& =& \begin{array}{c}\hfill |Pr\left[b^{\prime }=1:\begin{array}{cc}& \mathbf{A}\leftarrow R_q^{m\times n};(\mathbf{s},\mathbf{e})\leftarrow {\beta }_{\eta }^n\times {\beta }_{\eta }^m;\hfill \\ & \mathbf{b}=\mathbf{A}\mathbf{s}+\mathbf{e};b^{\prime }\leftarrow \mathcal{A}(\mathbf{A},\mathbf{b})\hfill \end{array}\right]\end{array}\hfill \\ & & -Pr\left[b^{\prime }=1:\mathbf{A}\leftarrow R_q^{m\times n};\mathbf{b}\leftarrow R_q^m;b^{\prime }\leftarrow \mathcal{A}(\mathbf{A},\mathbf{b})\right]|.\hfill \end{array}$$

The Module-LWE problem is hard if for all PPTs, adversary $\mathcal{A}$, $Ad{v}_{m,n,\eta }^{\mathsf{mlwe}}\left(\mathcal{A}\right)$ is negligible.

3.3. Key Encapsulation Mechanism

Definition 3

(Key Encapsulation Mechanism). A key encapsulation mechanism (KEM) consists of a triplet of probabilistic algorithms $\left(\mathit{KeyGen},\mathit{Encaps},\mathit{Decaps}\right)$, a ciphertext space $\mathcal{C}$ and a KEM key space $\mathcal{K}$.

• $\mathit{KeyGen}\left(1^{\lambda }\right)$ algorithm: upon input the security parameter $1^{\lambda }$, outputs a public key $pk$ and a secret key $sk$.
• $\mathit{Encaps}\left(pk\right)$ algorithm: inputs $pk$ and outputs a ciphertext c and a key $K\in \mathcal{K}$.
• $\mathit{Decaps}(sk,c)$ algorithm: inputs $sk$ and c and outputs either a key $K\in \mathcal{K}$ or a special symbol ⊥, indicating failure.

We define a KEM as $(1-\delta )$-correct if

$$Pr\left[\right(c,K)\leftarrow \mathit{Encaps}(pk)\wedge K=\mathit{Decaps}(sk,c\left)\right]\ge 1-\delta ,$$

where $(pk,sk)\leftarrow \mathit{KeyGen}\left(1^{\lambda }\right)$.

The standard security notion for the key encapsulation mechanism is indistinguishability under chosen ciphertext attacks. The advantage of an adversary $\mathcal{A}$ is defined as $Ad{v}_{\mathrm{KEM}}^{\mathrm{cca}}\left(\mathcal{A}\right)=|Pr[b=b^{\prime }:(pk,sk)\leftarrow \mathrm{KeyGen}(1^{\lambda })$; $b\leftarrow \{0,1\}$; $(c^{*},K_0^{*})\leftarrow \mathrm{Encaps}\left(pk\right)$; $K_1^{*}\leftarrow \mathcal{K}$; and $b^{\prime }\leftarrow {\mathcal{A}}^{\mathrm{DECAPS}(·)}(pk,c^{*},K_b^{*})]-{\displaystyle \frac{1}{2}}|$, where the DECAPS oracle is defined as $\mathrm{DECAPS}(·):=\mathrm{Decaps}(sk,·)$. $\mathcal{A}$ is not allowed to query $\mathrm{DECAPS}(·)$ with the challenge ciphertext $c^{*}$.

Our protocol will use the Kyber KEM introduced by Bos [26] as a building block. Kyber KEM includes three algorithms, $(\mathrm{Kyber}.\mathrm{KenGen},\mathrm{Kyber}.\mathrm{Encaps},$ and $\mathrm{Kyber}.\mathrm{Decaps})$. The security of Kyber KEM is based on the hardness of Module-LWE in the classical and quantum random oracle models [26].

3.4. Metric Spaces and Min-Entropy

Definition 4

(Metric Spaces). A metric space is a set $\mathcal{M}$ equipped with a distance function $\mathrm{dis}:\mathcal{M}\times \mathcal{M}\to {\mathbb{R}}^{+}\cup \left\{0\right\},$ which defines the distance between its elements (e.g., Hamming distance, which denotes the number of positions at which two strings of equal length differ).

Definition 5

(Min-Entropy). For a random variable X, the min-entropy of X is defined as $H_{\infty }\left(X\right)=-log\left({max}_{x\in \mathcal{X}}Pr[X=x]\right)$.

3.5. Fuzzy Extractor

Biometric data are not uniformly distributed and may vary slightly during different samples. Fuzzy extractors enable the extraction of stable and nearly uniform randomness from noisy biometric data.

Definition 6

(Fuzzy Extractor). An $(\mathcal{M},m,\mathcal{R},\mathtt{t},\epsilon )$-fuzzy extractor (FE) consists of two PPT algorithms $\mathit{FE}=(\mathit{Gen},\mathit{Rep})$ with the following properties:

• $\mathit{Gen}\left(w\right)$: on input of an element $w\in \mathcal{M}$, it outputs a public helper string P and an extracted string $R\in \mathcal{R}$.
• $\mathit{Rep}(w^{\prime },P)$: on input of an element $w^{\prime }\in \mathcal{M}$ and the public helper string P, it outputs an extracted string R or ⊥.
• Correctness. If $dis(w,w^{\prime })\le \mathtt{t}$, then for all $(R,P)\leftarrow \mathit{Gen}\left(w\right)$, we have $R=\mathit{Rep}(w,P)$.
• $(m,l,\epsilon )$-Security. For any distribution W over $\mathcal{M}$ such that $H_{\infty }\left(W\right)\ge m$, for any adversary $\mathcal{A}$, it follows that

  $$Ad{v}_{FE}\left(\mathcal{A}\right)=|Pr[\mathcal{A}(R,P)\Rightarrow 1]-Pr[\mathcal{A}(U,P)\Rightarrow 1]|\le \epsilon ,$$

  where $(R,P)\leftarrow Gen\left(w\right)$ and $U\leftarrow {\{0,1\}}^l$.

Our protocol will use the fuzzy extractor proposed in [30], which is information-theoretically secure.

Remark 1.

The fuzzy extractor proposed by Dodis et al. [30] employs an efficient linear error-correcting code to handle errors in noisy biometric data. The encoding and decoding algorithms are efficient and publicly accessible. Furthermore, it has been proven to be information-theoretically secure [30].

3.6. Collision-Resistant Hash Function

A collision-resistant hash function is a mathematical function that takes an arbitrary-length message M in space $\mathcal{M}$ as input and produces a fixed-length string $H\left(M\right)$. The collision-resistant hash function has the following property: it is computationally infeasible to find two distinct messages M and $M^{\prime }$ such that $H\left(M\right)=H\left(M^{\prime }\right)$.

3.7. Adversary Model

We assume that the Dolev–Yao (DY) threat model [31] is applicable in our scheme as the standard threat model. Under this model, the adversary $\mathcal{A}$ has the following capabilities:

• $\mathcal{A}$ is familiar with the protocol’s operation and public parameters. Any legitimate user can pretend to be $\mathcal{A}$, and vice versa.
• $\mathcal{A}$ can eavesdrop, replay, modify, and forge messages communicated over the insecure public channel.
• $\mathcal{A}$ can attempt offline password guessing attacks using information extracted from smart cards or other sources.
• $\mathcal{A}$ cannot simultaneously compromise a legitimate user’s smart card, biometric and password. However, $\mathcal{A}$ can compromise any two of three factors and attempt to guess the third factor.
• Through side-channel attacks, such as power analysis, $\mathcal{A}$ can extract sensitive information stored on a smart card.

4. Proposed Protocol

In this section, we propose a multi-factor authentication protocol suitable for multi-server architectures, which utilizes an offline RC. The proposed protocol involves three entities: the registration center $RC$, the user $U_i$ and the service server $S_j$. The protocol comprises four phases: initializaiton phase, registration phase, login and authentication phase and update phase. All the notations in this section are summarized in

Table 1. Notations’ summary.

Notation	Description
$RC$	Registration Center
$U_i$	ith user
$UI{D}_i$, $P{W}_i$, $BI{O}_i$	Identity, password, and biometric of $U_i$
$S_j$	jth server
$SI{D}_j$	Identity of $S_j$
K	Private key of $RC$
$s{k}_{S_j}$, $p{k}_{S_j}$	Private key, public key of the Kyber KEM for $S_j$
$s{k}_{U_i}$, $p{k}_{U_i}$	Private key, public key of the Kyber KEM for $U_i$
$SK$	Session key between $S_j$ and $U_i$
$T_1$, $T_2$, $T_3$	Current time stamps
$h(·)$	Hash function
⊕, ‖	Bitwise XOR, concatenation
$\Delta T$	Acceptable transmission delay threshold
$S{C}_i$	Smart card of $U_i$
$\mathcal{A}$	Adversary

.

4.1. Initializaiton Phase

In this phase, the $RC$ selects and publicly discloses certain information as follows:

• $RC$ selects a hash function h: ${\{0,1\}}^{*}\to {\{0,1\}}^n$.
• $RC$ selects the $Gen$ and $Rep$ algorithms for the fuzzy extractor.
• $RC$ selects security parameters for the Kyber KEM.
• $RC$ randomly generates a private key K, publishes $\{\mathrm{Kyber}.\mathrm{KeyGen},\mathrm{Kyber}.\mathrm{Encaps}$, Kyber.Decaps, $h,Gen,Rep\}$ and securely stores K.

4.2. Registration Phase

In this phase, service servers and users register with the registration center ($RC$) via a secure channel.

4.2.1. Server Registration

Assuming there are k initial servers ready to be registered before any user’s registration, additional $k^{\prime }$ server slots are reserved to accommodate potential new servers in the future. As depicted in

Table 2. Server registration.

Server $\left({\mathit{S}}_{\mathit{j}}\right)$		$\mathbf{RC}$
		Select $k^{\prime }$ unique $SI{D}_j$
Select $SI{D}_j$
Compute $(p{k}_{S_j},s{k}_{S_j})\leftarrow \mathrm{Kyber}.\mathrm{KeyGen}(1^{\lambda })$
Store $s{k}_{S_j}$
	$\underset{securechannel}{\overset{\{SI{D}_j,p{k}_{S_j}\}}{\to }}$
		Check $SI{D}_j$
		Compute $PS{R}_j=h(SI{D}_j\left|\right|K)$
		Publish $\{SI{D}_j,p{k}_{S_j}\}$
	$\underset{securechannel}{\overset{\{SI{D}_j,PS{R}_j\}}{\leftarrow }}$
		Store $PS{R}_j$
Compare $SI{D}_j$
Store $PS{R}_j$

, the detailed steps of the server registration are outlined below.

• $RC$ first assumes that k initial servers will complete their registration before any user’s registration, and additional $k^{\prime }$ servers will complete their registration thereafter. Then, $RC$ selects $k^{\prime }$ unique $SI{D}_j^{\prime }$ for servers that may register in the future and computes $PS{R}_j^{\prime }=H(SI{D}_j^{\prime }\left|\right|K)$.
• If a server $S_j(1\le j\le k+k^{\prime })$ intends to register, it first chooses its unique ID, denoted as $SI{D}_j$. Then, the server invokes $(p{k}_{S_j},s{k}_{S_j})\leftarrow \mathrm{Kyber}.\mathrm{KeyGen}\left(1^{\lambda }\right)$, stores $s{k}_{S_j}$ securely, and sends $p{k}_{S_j}$ along with $SI{D}_j$ to $RC$.
• Upon receiving the message $\{SI{D}_j,p{k}_{S_j}\}$ from $S_j$, $RC$ will do the following:
  • If no user has registered, $RC$ will start to check the $SI{D}_j$. If the $SI{D}_j$ has been occupied, $RC$ will returns a rejection message. Otherwise, $RC$ computes $PS{R}_j=h(SI{D}_j\left|\right|K)$ and publishes $\{SI{D}_j,p{k}_{S_j}\}$ as the public information of server $S_j$ and securely stores $PS{R}_j$. Finally, $RC$ transmits $\{SI{D}_j,PS{R}_j\}$ to the server $S_j$.
  • If a user has completed their registration, the $RC$ will disregard the $SI{D}_j$ received from the server. Instead, $RC$ will use its pre-selected $SI{D}_j^{\prime }$ as the server’s ID, setting $SI{D}_j=SI{D}_j^{\prime },PS{R}_j=PS{R}_j^{\prime }$. Then $RC$ publishes $\{SI{D}_j,p{k}_{S_j}\}$ as the public information of server $S_j$ and securely stores $PS{R}_j$. Finally, $RC$ sends $\{SI{D}_j,PS{R}_j\}$ to server $S_j$.
• After receiving $\{SI{D}_j,PS{R}_j\}$ from $RC$, server $S_j$ will use $SI{D}_j$ as its own ID and securely store $PS{R}_j$ for future authentication purposes.

4.2.2. User Registration

The user’s information includes their ID, password and biometric data. Since biometric data are immutable, directly storing them for authentication purposes poses significant security risks in the event of a data leak. Additionally, biometric data can show slight variations each time they are captured. To address these issues, our protocol uses a fuzzy extractor to handle minor variations while preventing raw biometric data from being stored. During the user registration phase, the user’s biometric data $BI{O}_i$ are input into the fuzzy extractor. This process generates two outputs: a random string R and a public helper string P. Only the public helper string P needs to be stored by the user. As shown in

Table 3. User registration.

User $\left({\mathit{U}}_{\mathit{i}}\right)$		RC
Select $UI{D}_i$, $P{W}_i$
Imprint $BI{O}_i$
$(R_i,P_i)\leftarrow Gen\left(BI{O}_i\right)$
Generate a random nonce a
$PW{U}_i=h(UI{D}_i\left|\right|P{W}_i\left|\right|a)$
$AI{D}_i=h(UI{D}_i\left|\right|R_i)$
$A_i=AI{D}_i\oplus a$
	$\underset{securechannel}{\overset{\{AI{D}_i,PW{U}_i\}}{\to }}$
		Check whether the $AI{D}_i$ is unique
		if unique, store $AI{D}_i$ in the database
		for $1\le j\le k+k^{\prime }$, compute
		$V_{ij}=h(AI{D}_i\left|\right|PS{R}_j)\oplus PW{U}_i$
		$P_{ij}=h(SI{D}_j\left|\right|PS{R}_j)\oplus PW{U}_i$
		store $(SI{D}_j,V_{ij},P_{ij})$
		in a smart card $S{C}_i$
	$\underset{securechannel}{\overset{S{C}_i=\left\{(SI{D}_j,V_{ij},P_{ij})\right|1\le j\le k+k^{\prime }\}}{\leftarrow }}$
Store $P_i$, $PW{U}_i$, $A_i$ in $S{C}_i$

, the detailed steps of the user registration phase are outlined below.

• User $U_i$ selects its own user ID $UI{D}_i$ and password $P{W}_i$. Then, $U_i$ inputs biometric data $BI{O}_i$ and invokes the generation algorithm $(R_i,P_i)\leftarrow Gen\left(BI{O}_i\right)$. $U_i$ generates a random nonce a and computes $PW{U}_i=h(UI{D}_i\left|\right|P{W}_i\left|\right|a)$ and $AI{D}_i=h(UI{D}_i\left|\right|R_i)$$,A_i=AI{D}_i\oplus a$. Finally, $U_i$ sends $\{AI{D}_i,PW{U}_i\}$ to $RC$.
• When $RC$ receives the registration request from the user, it first verifies whether the $AI{D}_i$ is unique. If the $AI{D}_i$ is already in use, $RC$ returns a rejection message. Otherwise, $RC$ stores $AI{D}_i$ in its database for future use. For $1\le j\le k+k^{\prime }$, $RC$ computes $V_{ij}=h(AI{D}_i\left|\right|PS{R}_j)\oplus PW{U}_i$ and $P_{ij}=h(SI{D}_j\left|\right|PS{R}_j)\oplus PW{U}_i$ and stores $(SI{D}_j,V_{ij},P_{ij})$ in a smart card $S{C}_i$. Finally, it securely delivers $S{C}_i$ to the user.
• After receiving the smart card $S{C}_i$, user $U_i$ stores $PW{U}_i$, $P_i$ and $A_i$ in the smart card $S{C}_i$. Ultimately, the smart card contains $\{PW{U}_i,P_i,A_i\{SI{D}_j,V_{ij},P_{ij}|1\le j\le k+k^{\prime }\}\}$.

4.3. Login and Authentication Phase

This phase encompasses two components: user login and mutual authentication. As depicted in

Table 4. Login and authentication.

User $\left({\mathit{U}}_{\mathit{i}}\right)$		Server $\left({\mathit{S}}_{\mathit{j}}\right)$
$U_i$ inserts $S{C}_i$
inputs $UI{D}_i^{\prime }$, $P{W}_i^{\prime }$, $BI{O}_i^{\prime }$
Compute $R_i^{\prime }=Rep(BI{O}_i^{\prime },P_i)$
$AI{D}_i^{\prime }=h(UI{D}_i^{\prime }\left|\right|R_i^{\prime })$
$a^{\prime }=A_i\oplus AI{D}_i^{\prime }$
$PW{U}_i^{\prime }=h(UI{D}_i^{\prime }\left|\right|P{W}_i^{\prime }\left|\right|a^{\prime })$
If $PW{U}_i\ne PW{U}_i^{\prime }$
$S{C}_i$ ends the session
Else continue
Compute
$(c_1,K_1)\leftarrow \mathrm{Kyber}.\mathrm{Encaps}\left(p{k}_{S_j}\right)$
$(p{k}_{U_i},s{k}_{U_i})\leftarrow \mathrm{Kyber}.\mathrm{KeyGen}(1^{\lambda })$
$AI{D}_i^{\prime }=h(UI{D}_i^{\prime }\left|\right|R_i^{\prime })$
$M_1=PW{U}_i^{\prime }\oplus V_{ij}$
$M_2=PW{U}_i^{\prime }\oplus P_{ij}$
$M_3=AI{D}_i^{\prime }\oplus M_2\oplus K_1$
$M_4=h(M_1\left|\right|K_1\left|\right|T_1)$
	$\underset{publicchannel}{\overset{Msg1=\{c_1,M_3,M_4,T_1,p{k}_{U_i}\}}{\to }}$
		If $T_1^{\prime }-T_1\le \Delta T$, continue
		Compute $K_1^{\prime }=\mathrm{Kyber}.\mathrm{Decaps}(s{k}_{S_j},c_1)$
		$M_5=h(SI{D}_j\left|\right|PS{R}_j)$
		$M_6=M_5\oplus M_3\oplus K_1^{\prime }$
		$M_7=h(M_6\left|\right|PS{R}_j)$
		$M_8=h(M_7\left|\right|K_1^{\prime }\left|\right|T_1)$
		If $M_8=M_4$, continue
		Compute
		$(c_2,K_2)\leftarrow \mathrm{Kyber}.\mathrm{Encaps}\left(p{k}_{U_i}\right)$
		$S{K}_{ij}=h(M_5\left|\right|M_7\left|\right|K_1^{\prime }\left|\right|K_2\left|\right|T_2)$
		$M_9=h(S{K}_{ij}\left|\right|M_7\left|\right|T_2)$
	$\underset{publicchannel}{\overset{Msg2=\{M_9,T_2,c_2\}}{\leftarrow }}$
If $T_2^{\prime }-T_2\le \Delta T$, continue
Compute
$K_2^{\prime }=\mathrm{Kyber}.\mathrm{Decaps}(s{k}_{U_i},c_1)$
$S{K}_{ij}^{\prime }=h(M_2\left|\right|M_1\left|\right|K_1\left|\right|K_2^{\prime }\left|\right|T_2)$
$M_{10}=h(S{K}_{ij}^{\prime }\left|\right|M_1\left|\right|T_2)$
If $M_{10}=M_9$, continue
Compute
$M_{11}=h(S{K}_{ij}^{\prime }\left|\right|M_1\left|\right|K_2^{\prime }\left|\right|T_3)$
	$\underset{publicchannel}{\overset{Msg3=\{M_{11},T_3\}}{\to }}$
		If $T_3^{\prime }-T_3\le \Delta T$, continue.
		Compute $M_{12}=h(S{K}_{ij}\left|\right|M_7\left|\right|K_2\left|\right|T_3)$
		If $M_{12}=M_{11}$,
		the session key $S{K}_{ij}$ is established.

, the detailed steps for establishing a session key are outlined below.

4.3.1. User Login

All users are required to pass the login verification process to access a server $S_j$.

• User $U_i$ inserts the smart card $S{C}_i$ to a smart card scanner and inputs $UI{D}_i^{\prime }$, $P{W}_i^{\prime }$ and biometric data $BI{O}_i^{\prime }$.
• $S{C}_i$ invokes the $Rep$ algorithm to reproduce $R_i^{\prime }=Rep(BI{O}_i^{\prime },P_i)$ and computes $AI{D}_i^{\prime }=h(UI{D}_i^{\prime }\left|\right|R_i^{\prime })$, $a^{\prime }=A_i\oplus AI{D}_i^{\prime }$, $PW{U}_i^{\prime }=h(UI{D}_i^{\prime }\left|\right|P{W}_i^{\prime }\left|\right|a^{\prime })$. Then, $S{C}_i$ verifies whether $PW{U}_i^{\prime }=PW{U}_i$. If it is true, $S{C}_i$ continues the process. Otherwise, it rejects the login request.

4.3.2. Mutual Authentication

After the user $U_i$ successfully logs in, $U_i$ selects the server $S_j$ they wish to access and sends the initial message. Upon receiving the initial message, the server $S_j$ verifies the user’s identity. Then, the server $S_j$ sends a response message to the user $U_i$. User $U_i$ uses the response message to authenticate the server’s identity. Following this mutual authentication process, both parties will collaboratively establish a session key for use in their subsequent communications. All messages are transmitted over a public channel. The detailed mutual authentication and key establishment processes are outlined below.

• $S{C}_i$ invokes $(c_1,K_1)\leftarrow \mathrm{Kyber}.\mathrm{Encaps}\left(p{k}_{S_j}\right)$ and $(p{k}_{U_i},s{k}_{U_i})\leftarrow \mathrm{Kyber}.\mathrm{KeyGen}\left(1^{\lambda }\right)$. Then, $S{C}_i$ generates a time stamp $T_1$ and computes the following messages:

  $$\begin{gathered} AI{D}_i^{\prime }=h(UI{D}_i^{\prime }\left|\right|R_i^{\prime }); \\ {M}_1=PW{U}_i^{\prime }\oplus V_{ij}; \\ {M}_2=PW{U}_i^{\prime }\oplus P_{ij}; \\ {M}_3=AI{D}_i^{\prime }\oplus M_2\oplus K_1; \\ {M}_4=h(M_1\left|\right|K_1\left|\right|T_1); \end{gathered}$$

  then, it transmits $Msg1=\{c_1,M_3,M_4,T_1,p{k}_{U_i}\}$ to $S_j$.
• Upon receiving message $Msg1$, the server $S_j$ first records the current timestamp $T_1^{\prime }$ and checks if $T_1^{\prime }-T_1\le \Delta T$. If it does not hold, $S_j$ ends the session. Otherwise, $S_j$ invokes $K_1^{\prime }\leftarrow \mathrm{Kyber}.\mathrm{Decaps}(c_1,s{k}_{S_j})$. Then, $S_j$ uses the $PS{R}_j$ stored in the registration phase to compute

  $$\begin{gathered} M_5=h(SI{D}_j\left|\right|PS{R}_j), \\ {M}_6=M_5\oplus M_3\oplus K_1^{\prime }, \\ {M}_7=h(M_6\left|\right|PS{R}_j), \\ {M}_8=h(M_7\left|\right|K_1^{\prime }\left|\right|T_1). \end{gathered}$$
  If $M_8=M_4$ holds, $S_j$ invokes the $(c_2,K_2)\leftarrow \mathrm{Kyber}.\mathrm{Encaps}\left(p{k}_{U_i}\right)$. Then, $S_j$ generates the time stamp $T_2$ and computes

  $$\begin{gathered} S{K}_{ij}=h(M_5\left|\right|M_7\left|\right|K_1^{\prime }\left|\right|K_2\left|\right|T_2), \\ {M}_9=h(S{K}_{ij}\left|\right|M_7\left|\right|T_2). \end{gathered}$$
  Finally, server $S_j$ transmits $Msg2=\{M_9,T_2,c_2\}$ to user $U_i$.
• Upon receiving message $Msg2$, $S{C}_i$ generates the current time stamp $T_2^{\prime }$ and then checks if $T_2^{\prime }-T_2\le \Delta T$. If $T_2^{\prime }-T_2\le \Delta T$, $S{C}_i$ computes

  $$\begin{gathered} K_2^{\prime }=\mathrm{Kyber}.\mathrm{Decaps}(s{k}_{U_i},c_1), \\ S{K}_{ij}^{\prime }=h(M_2\left|\right|M_1\left|\right|K_1\left|\right|K_2^{\prime }\left|\right|T_2), \\ {M}_{10}=h(S{K}_{ij}^{\prime }\left|\right|M_1\left|\right|T_2). \end{gathered}$$
  If $M_{10}=M_9$ holds, $S{C}_i$ generates the time stamp $T_3$, computes $M_{11}=h(S{K}_{ij}^{\prime }\left|\right|M_1\left|\right|K_2^{\prime }\left|\right|$$T_3)$ and transmits $Msg3=\{M_{11},T_3\}$ to server $S_j$.
• Upon receiving the message $Msg3$, server $S_j$ records the current timestamp $T_3^{\prime }$ and checks if $T_3^{\prime }-T_3\le \Delta T$. If it does not hold, $S_j$ ends the session. Otherwise, $S_j$ computes $M_{12}=h(S{K}_{ij}\left|\right|M_7\left|\right|K_2\left|\right|T_3)$. If $M_{12}=M_{11}$, $S_j$ acknowledges the correctness of the session key. The session key $S{K}_{ij}$ is established between $U_i$ and $S_j$ for subsequent communication.

4.4. Update Phase

4.4.1. Password Update Phase

In this phase, users can update their passwords without further contacting the $RC$. Before updating the password, the user must complete the login process. The detailed steps of the password update are outlined below.

• User $U_i$ inserts the smart card $S{C}_i$ to a smart card scanner and inputs $UI{D}_i^{\prime }$, $P{W}_i^{\prime }$ and biometric data $BI{O}_i^{\prime }$.
• $S{C}_i$ invokes the $Rep$ algorithm to reproduce $R_i^{\prime }=Rep(BI{O}_i^{\prime },P_i)$ and computes $AI{D}_i^{\prime }=h(UI{D}_i^{\prime }\left|\right|R_i^{\prime })$, $a^{\prime }=A_i\oplus AI{D}_i^{\prime }$ and $PW{U}_i^{\prime }=h(UI{D}_i^{\prime }\left|\right|P{W}_i^{\prime }\left|\right|a^{\prime })$. Then, $S{C}_i$ verifies whether $PW{U}_i^{\prime }=PW{U}_i$. If it is true, $S{C}_i$ continues the process. Otherwise, it rejects the login request.
• $U_i$ provides a new password $P{W}_i^{new}$.
• $S{C}_i$ computes

  $$PW{U}_i^{new}=h(UI{D}_i\left|\right|P{W}_i^{new}\left|\right|a^{\prime }).$$
  For $1\le j\le k+k^{\prime }$, $S{C}_i$ computes

  $$\begin{gathered} V_{ij}^{new}=V_{ij}\oplus PW{U}_i\oplus PW{U}_i^{new}, \\ {P}_{ij}^{new}=P_{ij}\oplus PW{U}_i\oplus PW{U}_i^{new}. \end{gathered}$$
• $S{C}_i$ updates information as $\{PW{U}_i^{new},P_i,A_i,\{SI{D}_j,V_{ij}^{new},P_{ij}^{new}|1\le j\le k+k^{\prime }\}\}$.

4.4.2. Smart Card Revocation Phase

In this phase, the user can revoke the smart card by securely communicating with the $RC$.

• User $U_i$ inserts the old smart card, selects new $UI{D}_i^{new}$, $P{W}_i^{new}$, $a^{new}$, inputs biometric data $BI{O}_i^{\prime }$ and computes $R_i^{\prime }=Rep(BI{O}_i^{\prime },P_i)$. Then, $U_i$ computes $AI{D}_i^{\prime }=h(UI{D}_i^{\prime }\left|\right|R_i^{\prime })$, $PW{U}_i^{new}=h(UI{D}_i^{new}\left|\right|P{W}_i^{new}\left|\right|a^{new})$, $AI{D}_i^{new}=h(UI{D}_i^{new}\left|\right|R^{\prime })$ and $A_i^{new}=AI{D}_i^{new}\oplus a^{new}$, and then transmits $\{AI{D}_i^{\prime },AI{D}_i^{new},PW{U}_i^{new}\}$ to $RC$ along with a revocation request.
• $RC$ verifies the legitimacy of $U_i$ by comparing $AI{D}_i^{\prime }$ with all the $AID$s stored in the database.
• $RC$ replaces the old $AI{D}_i$ with the $AI{D}_i^{new}$. Then, $RC$ computes $V_{ij}^{new}=h(AI{D}_i^{new}\left|\right|PS{R}_j)\oplus PW{U}_i^{new}$ and $P_{ij}^{new}=h(SI{D}_j\left|\right|PS{R}_j)\oplus PW{U}_i^{new}$ for $1\le j\le k+k^{\prime }$.
• For $1\le j\le k+k^{\prime }$, $RC$ stores all the $SI{D}_j,V_{ij}^{new},P_{ij}^{new}$ in a smart card $S{C}_i^{new}$ and delivers $S{C}_i^{new}$ to the user through a secure channel.
• $U_i$ stores $PW{U}_i^{new}$, $A_i^{new}$ and $P_i$ in $S{C}_i^{new}$.

4.5. Formal Security Analysis

This section presents the formal security analysis of our proposed MFA using the real or random (ROR) model.

4.5.1. ROR Model

The following provides the main components of the ROR model:

• Participants: $U_i^a$ and $S_j^b$ represent the ath instance of user $U_i$ and the bth instance of server $S_j$, respectively.
• Adversary: $\mathcal{A}$ denotes a probabilistic polynomial time adversary.

The adversary $\mathcal{A}$ is allowed to query the following oracles:

• $Execute(U_i^a,S_j^b)$: This oracle outputs the protocol messages of an honest protocol execution between $U_i^a$ and $S_j^b$. By querying this oracle, the adversary launches passive attacks.
• $Send(U_i^a/S_j^b,m)$: This query simulates an active attack by the adversary $\mathcal{A}$, where $\mathcal{A}$ can send message m to the instance $U_i^a$ or $S_j^b$ and receive the response message from $U_i^a$ or $S_j^b$.
• $Corrupt(U_i,d)$: By querying this oracle, the adversary $\mathcal{A}$ can obtain one or two types of $U_i$’s secret information.
  $d=0$: $\mathcal{A}$ compromises $U_i$’s $UI{D}_i$ and $P{W}_i$.
  $d=1$: $\mathcal{A}$ compromises all the information stored in $U_i$’s smart card.
  $d=2$: $\mathcal{A}$ compromises $U_i$’s $BI{O}_i$.
• $Test(U_i^a/S_j^b)$: If $S{K}_{ij}$ is established, the oracle returns $S{K}_{ij}$ if $c=1$, and it returns a uniformly random key if $c=0$, where c is uniformly chosen from $\{0,1\}$.
• Random Oracle: We model the collision-resistant hash function $h(·)$ as a random oracle, denoted by H, which is publicly available to all participants, including the adversary $\mathcal{A}$.

Definition 7

(Semantic Security). A PPT adversary $\mathcal{A}$ is allowed to query $Execute(U_i^a,S_j^b)$, $Send(U_i^a/S_j^b,m)$, $Corrupt(U_i^a,d)$, $Test(U_i^a/S_j^b)$ and a random oracle. Finally, $\mathcal{A}$ provides a guessed bit $c^{\prime }$. Given a protocol $\mathcal{P}$, the advantage of $\mathcal{A}$ in the polynomial time t is defined as $Ad{v}_{\mathcal{P}}^{\mathcal{A}}\left(t\right)=|2·Pr[c^{\prime }=c]-1|$. We say that $\mathcal{P}$ satisfies the semantic security if $Ad{v}_{\mathcal{P}}^{\mathcal{A}}\left(t\right)=|2·Pr[c^{\prime }=c]-1|$ is negligible.

4.5.2. Security Proof

Theorem 1.

Suppose the PPT adversary $\mathcal{A}$ can execute at most $q_{exe}$ Execute queries, $q_{send}$ Send queries, $q_{test}$ Test queries and $q_{hash}$ Hash queries. Let $l_h$ denote the bit length of the output of the hash function, $l_b$ denote the length of the output R of fuzzy extractor, and $l_K$ denote the bit length of private key K selected by $RC$. Let $\left|U\right|$ denote the size of user ID space and $\left|\mathcal{K}\right|$ denote the size of encapsulation key space of Kyber.KEM. If the PPT $\mathcal{A}$ attempts to break the proposed protocol $\mathcal{P}$ in the polynomial time t, we have

$$\begin{array}{ccc}\hfill Ad{v}_{\mathcal{P}}^{\mathcal{A}}\left(t\right)& \le & 4q_{exe}·Ad{v}_{\mathit{Kyber}}^{\mathit{cca}}\left(\mathcal{A}\right)+{\displaystyle \frac{q_{hash}^2}{2^{l_h}}}+{\displaystyle \frac{q_{exe}^2}{\left|\mathcal{K}\right|}}+{\displaystyle \frac{q_{send}}{2^{l_b-1}}}\hfill \\ & & +2q_{send}·Ad{v}_{FE}\left(\mathcal{A}\right)+{\displaystyle \frac{q_{send}}{2^{l_k-1}}}+{\displaystyle \frac{2q_{send}}{\left|U\right|}}+{\displaystyle \frac{q_{send}}{2^{l_h-2}}}.\hfill \end{array}$$

Proof. 

Our proof consists of a sequence of hybrid games, starting with the real attack against MFA and ending in a game in which the adversary’s advantage is 0. Let Pr[$Suc{c}_i$] denote the probability that $\mathcal{A}$ successfully guesses the hidden bit c involved in ${\mathrm{Game}}_i$.

• ${\mathrm{Game}}_0$: This game corresponds to the real attack. According to the definition of semantic security, we have

  $$Ad{v}_{\mathcal{P}}^{\mathcal{A}}\left(t\right)=2Pr\left[Suc{c}_0\right]-1.$$

  (1)
• ${\mathrm{Game}}_1$: This game is identical to ${\mathrm{Game}}_0$, except that the simulator modifies the simulation of the $Execute$ query by replacing the key $K_1$ and $K_2$ used in $S{K}_{ij}$ with random strings $K_1^R$ and $K_2^R$ of the same length. Recall that in our protocol, $S{K}_{ij}=h(M_5\left|\right|M_7\left|\right|K_1\left|\right|K_2\left|\right|T_2)$, where $(c_1,K_1)\leftarrow \mathrm{Kyber}.\mathrm{Encaps}\left(p{k}_{S_j}\right)$ and $(c_2,K_2)\leftarrow \mathrm{Kyber}.$$\mathrm{Encaps}\left(p{k}_{U_i}\right)$. In this game, $S{K}_{ij}=h(M_5\left|\right|M_7\left|\right|K_1^R\left|\right|K_2^R\left|\right|T_2)$. Messages that $\mathcal{A}$ can obtain from a $Execute$ query are $Msg1=\{c_1,M_3,M_4,T_1,p{k}_{U_i}\}$, $Msg2=\{M_9,T_2,c_2\}$, $Msg3=\{M_{11},T_3\}$. By the security of Kyber.KEM, with ciphertext $c_1$, $c_2$ and public key $p{k}_{U_i}$, $p{k}_{S_j}$, the probability that $\mathcal{A}$ can distinguish $K_1$ and $K_2$ from $K_1^R$ and $K_2^R$ is smaller than $2Ad{v}_{\mathrm{Kyber}}^{\mathrm{cca}}\left(\mathcal{A}\right)$. Since $\mathcal{A}$ can make at most $q_{exe}$$Execute$ queries, we have

  $$|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_0\right]|\le 2q_{exe}·Ad{v}_{\mathrm{Kyber}}^{\mathrm{cca}}\left(\mathcal{A}\right).$$

  (2)
• ${\mathrm{Game}}_2$: In this game, the simulator will stop if a collision exists in hash queries or a collision exists in $K_1^R$ or $K_2^R$. Based on the birthday paradox, the maximum probability of a collision in the output of a hash function is ${\displaystyle \frac{q_{hash}^2}{2^{l_h+1}}}$. The probability of finding a collision in $K_1^R$ or $K_2^R$ through Execute queries is at most ${\displaystyle \frac{q_{exe}^2}{2\left|\mathcal{K}\right|}}$. Thus, we have

  $$|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_1\right]|\le {\displaystyle \frac{q_{hash}^2}{2^{l_h+1}}}+{\displaystyle \frac{q_{exe}^2}{2\left|\mathcal{K}\right|}}.$$

  (3)
• ${\mathrm{Game}}_3$: In this game, the simulator will reject all the $Send$ queries.

We claim that in ${\mathrm{Game}}_2$, the $Send$ query sent by $\mathcal{A}$ will be rejected with overwhelming probability.

• Upon receiving the $Send$ query $Send(S_j,Msg1)$, the simulator will check if $T_1^{\prime }-T_1\le \Delta T$. If $T_1^{\prime }-T_1>\Delta T$, the simulator will reject the $Send$ query; otherwise, the simulator will compute $K_1^{\prime }=\mathrm{Kyber}.\mathrm{Decaps}(s{k}_{S_j},c_1)$, $M_5=h(SI{D}_j\left|\right|PS{R}_j)$, $M_6=M_5\oplus M_3\oplus K_1^{\prime }$, $M_7=h(M_6\left|\right|PS{R}_j)$, $M_8=h(M_7\left|\right|K_1^{\prime }\left|\right|T_1)$, and it will verify if $M_8=M_4$. If $M_8\ne M_4$, the simulator will reject the $Send$ query.

  -

  Suppose that $\mathcal{A}$ has already executed $Corrupt(U_i,0)$ and $Corrupt(U_i,1)$ before executing the $Send$ query. In this case, $\mathcal{A}$ obtains the smart card $S{C}_i$, password $P{W}_i$ and user identity $UI{D}_i$ and does not know the biometric date $BI{O}_i$. In order to pass the verification, $\mathcal{A}$ needs to compute $AI{D}_i=h(UI{D}_i\left|\right|R_i)$ where $(R_i,P_i)\leftarrow Gen\left(BI{O}_i\right)$. Note that as long as biometric data $BI{O}_i$ has enough entropy, $R_i$ is almost uniform. More precisely, for all adversary $\mathcal{A}$, the probability of $\mathcal{A}$ to distinguish $R_i$ from a random string R is smaller than $Ad{v}_{FE}\left(\mathcal{A}\right)$. As a result, the probability of $\mathcal{A}$ guessing $R_i$ is smaller than ${\displaystyle \frac{q_{send}}{2^{l_b}}}+q_{send}·Ad{v}_{FE}\left(\mathcal{A}\right)$.

  -

  Suppose that $\mathcal{A}$ has already executed $Corrupt(U_i,0)$ and $Corrupt(U_i,2)$ before executing the $Send$ query. In this case, $\mathcal{A}$ obtains the biometric data $BI{O}_i$, password $P{W}_i$ and $UI{D}_i$, but $\mathcal{A}$ does not obtain the smart card $S{C}_i$. In order to pass the verification, $\mathcal{A}$ needs to compute $AI{D}_i=h(UI{D}_i\left|\right|R_i)$ and $PS{R}_j$, and then it computes $h\left(AI{D}_i\right|\left|PS{R}_j\right)$ and $h\left(SI{D}_j\right|\left|PS{R}_j\right)$. Recall that $PS{R}_j=h(SI{D}_j\left|\right|K)$ and K is the secret key of $RC$. If $\mathcal{A}$ can correctly guess the key of $RC$ and $P_i$ simultaneously, $\mathcal{A}$ can pass the verification. Since the key of $RC$ is uniformly random, the probability of $\mathcal{A}$ guessing the key of $RC$ and $P_i$ simultaneously is less than ${\displaystyle \frac{q_{send}}{2^{l_k}}}$.

  -

  Suppose that $\mathcal{A}$ has already executed $Corrupt(U_i,1)$ and $Corrupt(U_i,2)$ before executing the $Send$ query. In this case, $\mathcal{A}$ obtains the smart card $S{C}_i$ and the biometric data $BI{O}_i$, but $\mathcal{A}$ does not obtain the password $P{W}_i$ and $UI{D}_i$. With the smart card, $\mathcal{A}$ only needs to compute $AI{D}_i$ to pass the verification. If $\mathcal{A}$ can correctly guess the $UI{D}_i$, $\mathcal{A}$ would be able to pass the verification. Recall that $PW{U}_i=h(UI{D}_i\left|\right|P{W}_i\left|\right|a)$, $AI{D}_i=h(UI{D}_i\left|\right|R_i)$ and $A_i=AI{D}_i\oplus a$, where a is a random nonce. Since a is random, $AI{D}_i$ is masked by a. As a result, $\mathcal{A}$ cannot launch the offline user ID guessing attack. Therefore, $\mathcal{A}$ can guess $UI{D}_i$ with probability ${\displaystyle \frac{q_{send}}{\left|U\right|}}$.

• Upon receiving the $Send(U_i,Msg2)$, the simulator checks if $T_2^{\prime }-T_2\le \Delta T$. Then, the simulator computes $K_2^{\prime }=\mathrm{Kyber}.\mathrm{Decaps}(s{k}_{U_i},c_1)$, $S{K}_{ij}^{\prime }=h(M_2\left|\right|M_1\left|\right|K_1\left|\right|K_2^{\prime }\left|\right|T_2)$, $M_{10}=h(S{K}_{ij}^{\prime }\left|\right|M_1\left|\right|T_2)$, and verifies if $M_{10}=M_9$. If $\mathcal{A}$ wants to pass the verification, $\mathcal{A}$ needs to compute $M_{10}$. Since the adversary $\mathcal{A}$ does not know the secret key $s{k}_{S_j}$ and $PS{R}_j$, it is hard for $\mathcal{A}$ to compute $M_2,M_1$ and $K_1$. As a result, $\mathcal{A}$ can guess $M_{10}$ with a probability no larger than ${\displaystyle \frac{q_{send}}{2^{l_h}}}$.
• Upon receiving $Send(S_j,Msg3)$, the simulator checks if $T_3^{\prime }-T_3\le \Delta T$. Then, the simulator computes $M_{12}=h(S{K}_{ij}\left|\right|M_7\left|\right|K_2\left|\right|T_3)$ and verifies if $M_{12}=M_{11}$. Since $\mathcal{A}$ does not know $s{k}_{U_i}$, it cannot decapsulate the ciphertext to obtain $K_2$. As a result, $\mathcal{A}$ can guess the $M_{11}$ with a probability no larger than ${\displaystyle \frac{q_{send}}{2^{l_h}}}$.

From the above analysis, we can see that in ${\mathrm{Game}}_2$, the $Send$ query sent by $\mathcal{A}$ would not be rejected with a probability smaller than

$${\displaystyle \frac{q_{send}}{2^{l_b}}}+q_{send}·Ad{v}_{FE}\left(\mathcal{A}\right)+{\displaystyle \frac{q_{send}}{2^{l_k}}}+{\displaystyle \frac{q_{send}}{\left|U\right|}}+{\displaystyle \frac{q_{send}}{2^{l_h}}}+{\displaystyle \frac{q_{send}}{2^{l_h}}}.$$

As a result,

$$|Pr\left[Suc{c}_3\right]-Pr\left[Suc{c}_2\right]|\le {\displaystyle \frac{q_{send}}{2^{l_b}}}+q_{send}·Ad{v}_{FE}\left(\mathcal{A}\right)+{\displaystyle \frac{q_{send}}{2^{l_k}}}+{\displaystyle \frac{q_{send}}{\left|U\right|}}+{\displaystyle \frac{q_{send}}{2^{l_h-1}}}.$$

(4)

Note that in ${\mathrm{Game}}_3$, all $Send$ queries will be rejected. The session key $S{K}_{ij}$ in the $Execute$ query is generated from random strings $K_1^R$ and $K_2^R$. Due to the security of the hash function, $S{K}_{ij}$ is uniformly random in the view of $\mathcal{A}$. As a result, we have

$$Pr\left[Suc{c}_3\right]={\displaystyle \frac{1}{2}}.$$

(5)

Combing Equations (1)–(5) together, we have

$$\begin{array}{ccc}\hfill Ad{v}_{\mathcal{P}}^{\mathcal{A}}\left(t\right)& \le & 4q_{exe}·Ad{v}_{\mathrm{Kyber}}^{\mathrm{cca}}\left(\mathcal{A}\right)+{\displaystyle \frac{q_{hash}^2}{2^{l_h}}}+{\displaystyle \frac{q_{exe}^2}{\left|\mathcal{K}\right|}}+{\displaystyle \frac{q_{send}}{2^{l_b-1}}}\hfill \\ & & +2q_{send}·Ad{v}_{FE}\left(\mathcal{A}\right)+{\displaystyle \frac{q_{send}}{2^{l_k-1}}}+{\displaystyle \frac{2q_{send}}{\left|U\right|}}+{\displaystyle \frac{q_{send}}{2^{l_h-2}}}.\hfill \end{array}$$

□

4.6. Informal Security Analysis

• user anonymity: To preserve user anonymity, in the registration phase, the user $U_i$ computes masked identity $AI{D}_i=h(UI{D}_i\left|\right|R_i)$, where $R_i$ is generated by $Gen\left(BI{O}_i\right)=(R_i,P_i)$. In the authentication phase, $U_i$ sends $Msg1=\{c_1,M_3,M_4,T_1,p{k}_{U_i}\}$ to the server $S_j$; the masked identity $AI{D}_i$ is involved in $Msg1$. Note that the message related to $UI{D}_i$ transmitted to the $RC$ and server $S_j$ is the masked identity $AI{D}_i$. This ensures that the actual user identity remains protected. More precisely, due to the security of fuzzy extractor, as long as the biometric data $BI{O}_i$ have enough entropy, $R_i$ is almost uniformly distributed. Given the security properties of the hash function, it is infeasible for the $RC$, server $S_j$, or adversary $\mathcal{A}$ to guess $UI{D}_i$. This ensures user anonymity with respect to $RC$, server $S_j$ and adversary $\mathcal{A}$.
• user untraceability: The user untraceability ensures that it is difficult for an adversary $\mathcal{A}$ to trace or link different sessions to the same user by eavesdropping. Recall that, in each session, the messages transmitted over the public channel are $Msg1=\{c_1,M_3,M_4,T_1,p{k}_{U_i}\}$, $Msg2=\{M_9,T_2,c_2\}$ and $Msg3=\{M_{11},T_3\}$. Note that, in each session, user $U_i$ invokes $(p{k}_{U_i},s{k}_{U_i})\leftarrow \mathrm{Kyber}.\mathrm{KeyGen}\left(1^{\lambda }\right)$ and $(c_1,K_1)\leftarrow \mathrm{Kyber}.\mathrm{Encaps}\left(p{k}_{S_j}\right)$ and sets $M_3=AI{D}_i^{\prime }\oplus M_2\oplus K_1$ and $M_4=h(M_1\left|\right|K_1\left|\right|T_1)$. As a result, each parameter $Msg1$ is randomized. Similarly, every parameter in both $Msg2$ and $Msg3$ is randomized. Thus, the absence of transmission of static parameters ensures user untraceability.
• replay attack: In the authentication phase, the message $Msg1=\{c_1,M_3,M_4,T_1,p{k}_{U_i}\}$ sent by user $U_i$ involves a random key $K_1$ and a timestamp $T_1$, and the message $Msg2=\{M_9,T_2,c_2\}$ sent by the server $S_j$ involves a random key $K_2$ and a timestamp $T_2$. The involvement of random keys and timestamps helps our protocol resist replay attacks, specifically if an attacker eavesdrops $Msg1=\{c_1,M_3,M_4,T_1,p{k}_{U_i}\}$ and performs a replay attack using $Msg1$. Upon receiving $Msg1$, $S_j$ will check whether both $T_1^{\prime }-T_1\stackrel{?}{\le }\Delta T$ and $M_8\stackrel{?}{=}h(M_7\left|\right|K_1^{\prime }\left|\right|T_{\mathcal{A}})$ are true. If not, it ends the session. By the security of the underlying hash function, random key $K_1$ and timestamp $T_1$, the server $S_j$ will end the session with overwhelming probability. Similar analysis can be applied to $Msg2$.
• privileged insider attack: In our protocol, in the registration phase, user $U_i$ transmits $AI{D}_i=h(UI{D}_i\left|\right|R_i)$ and $PW{U}_i=h(UI{D}_i\left|\right|P{W}_i\left|\right|a)$ to the $RC$. Note that, $R_i$ is generated by $Gen\left(BI{O}_i\right)=(R_i,P_i)$ and a is a random nonce. As long as the biometric data $BI{O}_i$ contain sufficient entropy, $R_i$ is uniformly random. Additionally, the hash function has the property of pre-image resistance. Therefore, it is hard for an insider to derive $\{UI{D}_i,P{W}_i,BI{O}_i\}$, even if the registration message $\{AI{D}_i,PW{U}_i\}$ is leaked.
• offline password guessing attack: Suppose that the adversary has obtained the information $\{PW{U}_i,P_i,A_i,\{SI{D}_j,V_{ij},P_{ij}|1\le j\le k+k^{\prime }\}\}$ stored on the smart card and is attempting to guess the user’s password $P{W}_i$ offline. Note that $PW{U}_i=h(UI{D}_i\left|\right|P{W}_i\left|\right|a)$ contains the information of $P{W}_i$. If an attacker attempts to guess $P{W}_i$ from $PW{U}_i$, it is required to guess $UI{D}_i$, $P{W}_i$ and a simultaneously. Recall that $AI{D}_i=h(UI{D}_i\left|\right|R_i)$, $A_i=AI{D}_i\oplus a$, $Gen\left(BI{O}_i\right)=(R_i,P_i)$ and a is a random nonce. The fuzzy extractor guarantees that as long as $BI{O}_i$ has enough entropy, $R_i$ is almost uniformly distributed even if $P_i$ is public. Due to the security of the hash function, $AI{D}_i$ is pseudorandom. a is pseudorandom-conditioned on $A_i$. Therefore, the adversary cannot obtain $P{W}_i$ from $PW{U}_i$. Thereby, our protocol can resist offline password guessing attacks.
• stolen smart card attack: Suppose that the smart card is stolen by an adversary $\mathcal{A}$, who can extract all the information stored in the smart card. If $\mathcal{A}$ wants to log in, $\mathcal{A}$ needs to compute $PW{U}_i=h(UI{D}_i,P{W}_i,a)$, where a is a random nonce. a is concealed by $AI{D}_i$ and $A_i=AI{D}_i\oplus a$. Recall that $AI{D}_i=h(UI{D}_i\left|\right|R_i)$ and $Gen\left(BI{O}_i\right)=(R_i,P_i)$. This means that if $\mathcal{A}$ wants to compute $PW{U}_i=h(UI{D}_i,P{W}_i,a)$, $\mathcal{A}$ needs to guess $UI{D}_i$, $P{W}_i$ and $BI{O}_i$ simultaneously. Since $BI{O}_i$ has enough entropy, it is hard for $\mathcal{A}$ to guess $BI{O}_i$. As a result, it is difficult for $\mathcal{A}$ to log in just with a smart card.
• user impersonation attack: A user impersonation attack refers to when an attacker pretends to be a legitimate user to illegally obtain information services from servers. Impersonating a legitimate user $U_i$, the attacker $\mathcal{A}$ must be able to forge a valid login request. In our protocol, this means that $\mathcal{A}$ needs to successfully compute $AI{D}_i=h(UI{D}_i\left|\right|R_i)$ where $(R_i,P_i)\leftarrow Gen\left(BI{O}_i\right)$.

  -

  Through eavesdropping, $\mathcal{A}$ can easily obtain $\{Msg1,Msg2,Msg3\}$. In our protocol, $AI{D}_i$ is masked by $K_1$. By the security of Kyber.KEM, $K_1$ is pseudorandom. As a result, $\mathcal{A}$ cannot obtain $AI{D}_i$ from eavesdropping.

  -

  Assume that $\mathcal{A}$ obtains the smart card $S{C}_i$ and biometric data $BI{O}_i$. Recall that $PW{U}_i=h(UI{D}_i\left|\right|P{W}_i\left|\right|a)$, $AI{D}_i=h(UI{D}_i\left|\right|R_i)$ and $A_i=AI{D}_i\oplus a$, where a is a random nonce. Since a is random, $AI{D}_i$ is masked by a. As a result, $\mathcal{A}$ cannot launch a user ID guessing attack. Therefore, $\mathcal{A}$ cannot compute $AI{D}_i=h(UI{D}_i\left|\right|R_i)$.

  -

  Assume that $\mathcal{A}$ obtains the smart card $S{C}_i$ and password $P{W}_i$ and user identity $UI{D}_i$. As long as biometric data $BI{O}_i$ have enough entropy, $R_i$ is almost uniform. As a result, $\mathcal{A}$ cannot compute $AI{D}_i=h(UI{D}_i\left|\right|R_i)$.

  -

  Assume that $\mathcal{A}$ obtains the biometric data $BI{O}_i$ and password $P{W}_i$ and $UI{D}_i$. If $\mathcal{A}$ wants to compute $AI{D}_i=h(UI{D}_i\left|\right|R_i)$, $\mathcal{A}$ needs to invoke $R_i=Rep(BI{O}_i,P_i)$ to obtain $R_i$. Since $P_i$ is stored in the smart card, $\mathcal{A}$ cannot invoke $R_i=Rep(BI{O}_i,P_i)$. As a result, $\mathcal{A}$ cannot compute $AI{D}_i=h(UI{D}_i\left|\right|R_i)$.

• man-in-the-middle attack: The adversary $\mathcal{A}$ pretends to be the server in a conversation with the user and also pretends to be the user in a conversation with the server.

  -

  Every legal server has its own $s{k}_{S_j}$. Without the $s{k}_{S_j}$, $\mathcal{A}$ cannot compute $K_1^{\prime }=\mathrm{Kyber}.\mathrm{Decaps}(s{k}_{S_j},c_1)$ and forge $M_9$. Therefore, $\mathcal{A}$ cannot make $U_i$ believe that $\mathcal{A}$ is the specific legitimate server.

  -

  Every legal user has her/his own $UI{D}_i,P{W}_i,BI{O}_i$ and $S{C}_i$. As long as the adversary $\mathcal{A}$ does not obtain all three factors of the user $U_i$ who they want to impersonate, $\mathcal{A}$ cannot compute $AI{D}_i=h(UI{D}_i\left|\right|R_i)$. As a result, verification of the server would not be passed.

• backward and forward secrecy: In our protocol, even if a participant’s long-term secret is compromised, it remains difficult for an adversary $\mathcal{A}$ to derive either previously generated or future possible keys. Note that in each session, the user $U_i$ will invoke $(p{k}_{U_i},s{k}_{U_i})\leftarrow \mathrm{Kyber}.\mathrm{KeyGen}(1^{\lambda })$ and send $p{k}_{U_i}$ to the server $S_j$. The server will invoke $(c_2,K_2)\leftarrow \mathrm{Kyber}.\mathrm{Encaps}\left(p{k}_{U_i}\right)$. The session key is $S{K}_{ij}=h(M_2\left|\right|M_1\left|\right|K_1\left|\right|K_2\left|\right|T_2)$. Although $c_2,p{k}_{U_i}$ are transmitted over the public channel, due to the the security of the Kyber KEM, it is hard for $\mathcal{A}$ to obtain $K_2$. The forward and backward secrecy of the protocol is ensured.
• key compromise impersonation attack: The multi-server architecture comprises multiple cloud servers and user entities. A key compromise impersonation attack occurs when an adversary $\mathcal{A}$ obtains the long-term secrets of some participants and attempts to impersonate another user $U_i$ or server $S_j$. Assuming that $\mathcal{A}$ comprises a subset of users $U_{\mathcal{A}}=\{U_{i1},\cdots ,U_{im}\}$ and a subset of servers $S_{\mathcal{A}}=\{S_{j1}\cdots ,S_{jn}\}$, our protocol ensures that $\mathcal{A}$ cannot impersonate any uncompromised user $U_i\notin U_{\mathcal{A}}$ or server $S_j\notin S_{\mathcal{A}}$.

  -

  The adversary $\mathcal{A}$ cannot impersonate any user $U_i\notin U_{\mathcal{A}}$. To impersonate a legitimate user $U_i$, the adversary $\mathcal{A}$ must forge a valid login request. In our protocol, this requires $\mathcal{A}$ to successfully compute $AI{D}_i=h(UI{D}_i\left|\right|R_i)$, where $(R_i,P_i)\leftarrow Gen\left(BI{O}_i\right)$. Since $\mathcal{A}$ does not comprise user $U_i$, $\mathcal{A}$ gains no information about $BI{O}_i$. Given that $BI{O}_i$ has enough entropy, the security of fuzzy extractor ensures that $R_i$ is nearly uniformly distributed. As a result, $\mathcal{A}$ cannot compute $AI{D}_i$.

  -

  The adversary $\mathcal{A}$ cannot impersonate any server $S_j\notin S_{\mathcal{A}}$. To impersonate a legitimate server $S_j$, the adversary $\mathcal{A}$ must compute the correct message $M_9$ to pass the verification, where $M_9=h(S{K}_{ij}\left|\right|M_7\left|\right|T_2)$, $S{K}_{ij}=h(M_5\left|\right|M_7\left|\right|K_1^{\prime }\left|\right|K_2\left|\right|T_2)$, $M_5=h(SI{D}_j\left|\right|PS{R}_j)$ and $K_1^{\prime }=\mathrm{Kyber}.\mathrm{Decaps}(s{k}_{S_j},c_1)$. To compute $M_9$, the adversary needs to correctly decapsulate $c_1$. Due to the security of the underlying Kyber.KEM, without the secret key $s{k}_{S_j}$, $K_1^{\prime }$ is pseudorandom. As a result, adversary $\mathcal{A}$ cannot compute the correct message $M_9$.

• RC root key exposure attack: In this attack, the RC’s root key K is leaked to the adversary $\mathcal{A}$.

  -

  The adversary $\mathcal{A}$ cannot learn the identity of user $U_i$. Recall that in the registration phase, the user $U_i$ selects an identity $UI{D}_i$ and a password $P{W}_i$ and then imprints $BI{O}_i$. The user then invokes $(R_i,P_i)\leftarrow Gen\left(BI{O}_i\right)$, generates a random nonce a, and computes $PW{U}_i=h(UI{D}_i\left|\right|P{W}_i\left|\right|a)$, $AI{D}_i=h(UI{D}_i\left|\right|R_i)$ and $A_i=AI{D}_i\oplus a$.

  Note that $AI{D}_i=h(UI{D}_i\left|\right|R_i)$, where $R_i$ is generated by the fuzzy extractor $Gen\left(BI{O}_i\right)=(R_i,P_i)$ and a is a random nonce in the computation of $PW{U}_i=h(UI{D}_i\left|\right|P{W}_i\left|\right|a)$. As long as $BI{O}_i$ has enough entropy, the output $R_i$ is almost uniformly distributed due to the security of the fuzzy extractor. Consequently, the user’s identity $UI{D}_i$ remains concealed from the adversary.

  -

  The adversary $\mathcal{A}$ cannot impersonate a legitimate server $S_j$. Recall that in the registration phase, the server $S_j$ selects $SI{D}_j$, computes $(p{k}_{S_j},s{k}_{S_j})\leftarrow \mathrm{Kyber}.\mathrm{KeyGen}(1^{\lambda })$ and sends $\{SI{D}_j,p{k}_{S_j}\}$ over a secure channel to the RC. Then, the RC computes $PS{R}_j=h(SI{D}_j\left|\right|K)$, publishes $\{SI{D}_j,p{k}_{S_j}\}$, and stores $PS{R}_j$. We can see that even if the root key K is exposed to $\mathcal{A}$, $\mathcal{A}$ obtains no information about the secret key $s{k}_{S_j}$. Without $s{k}_{S_j}$, $\mathcal{A}$ cannot impersonate a legitimate server $S_j$.

5. Performance

This section compares our protocol with other related protocols [8,9,15,16,17,18,20,21,22,28,29,32,33] in terms of security performance and efficiency.

Table 5. Security functionalities and attacks.

	[9]	[28]	[32]	[20]	[8]	[15]	[16]	[17]	[18]	[21]	[33]	[22]	[29]	Our
User anonymity	✔	✗	✔	✗	✗	✔	✗	✗	✔	✔	✔	✔	✗	✔
User untraceability	✔	✔	✔	✗	✗	✔	✗	✗	✗	✔	✔	✔	✔	✔
Mutual authentication	✔	✔	✔	✔	✔	✔	✔	✔	✗	✔	✔	✔	✔	✔
$SK$ security	✔	✔	✔	✔	✔	✔	✔	✔	✗	✔	✔	✔	✔	✔
Secure smart card revocation	✔	✗	✗	✗	✗	✗	✔	✔	✔	✔	✗	✔	✗	✔
Resist replay attack	✔	✔	✔	✔	✗	✗	✔	✔	✔	✗	✔	✔	✔	✔
Resist privileged insider	✔	✔	✔	✔	✗	✔	✔	✔	✔	✔	✗	✔	✗	✔
Resists offline password guessing attack	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔
Resist smart card stolen	✗	✔	✔	✔	✔	✔	✗	✔	✔	✔	✗	✔	✔	✔
Resists user impersonation	✔	✔	✔	✔	✔	✔	✔	✗	✗	✔	✔	✔	✔	✔
Resists DoS	✔	✗	✔	✔	✗	✗	✔	✔	✔	✗	✔	✔	✔	✔
Forward secrecy	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔
Post-quantum security	✔	✔	✗	✗	✗	✗	✗	✗	✗	✗	✗	✗	✔	✔

shows the analysis of the security functionalities and attack resistance capabilities of the related protocols. Protocols [8,16,17,20,28,29] do not protect user anonymity. Protocols [8,16,17,18,20] do not ensure user untraceability. These protocols in [18] fail to achieve mutual authentication in the authentication phase. The secure smart card revocation phase does not exist in protocols [8,15,20,28,29,32,33]. The protocol in [18] cannot guarantee $SK$ security. Protocols [8,15,21,28] cannot defend against replay attacks. Protocols [8,29,33] are prone to privileged insider attacks, protocols [16,29,33] are prone to smart card stolen attacks, protocols [17] are vulnerable to user impersonation attacks, and protocols [8,15,21,28] are susceptible to Dos. [8,15,16,17,18,20,21,22,32,33] cannot ensure post-quantum security. Compared to these protocols, our protocol can provide all the security functionalities and attack resistance capabilities mentioned previously.

To compare the computational and communication costs with other relevant protocols, we denote $T_H$ as the time cost of the SHA-1 hash function, $T_{SE/D}$ for AES-128 symmetric encryption/decryption, $T_{MExp}$ for the 2048-bit prime p modular exponential, and $T_{EccM}$ for ECC-256 scalar multiplication. Let $T_{Ke}$, $T_{En}$, $T_{De}$ denote the operation time for Kyber.Keygen, Kyber.Encap and Kyber.Decaps, respectively. $T_{Ec}$ and $T_{Dc}$ represent the encryption and decryption times of Kyber’s public-key encryption scheme used in [29]. These operations are implemented on a desktop configuration comprising a 64-bit operating system, Intel core i5-12400F @ 2.50 GHz, 18GB RAM, and using the Python 3.9.1 programming language. The execution time for $T_H$, $T_{SE/D}$, $T_{MExp}$, $T_{EccM}$, $T_{Ke}$, $T_{En}$, $T_{De}$ is 0.0008 s, 0.0143 s, 0.1191 s, 0.0515 s, 0.0045 s, 0.0056 s, 0.007 s, respectively. The times for $T_{Ec}$ and $T_{Dc}$ are 0.0055 s and 0.0016 s. Additionally, we denote the execution time for fuzzy extractor, fuzzy commitment, and biohashing as $T_{Fe}$, $T_{Fc}$, and $T_{Bh}$. According to the article [34], the time of $T_{Fe}$, $T_{Fc}$, $T_{Bh}$ is the same as $T_{EccM}$. The experimental computational times for polynomial multiplication, polynomial addition/subtraction, and PUF in [29] are $T_{PM}=0.5115$ s, $T_{PAS}=0.0006$ s, and $T_{PUF}=0.0005$ s, respectively. The sizes of the hash value, identity, random number, timestamp, c and $pk$ are 160 bits, 40 bits, 40 bits, 32 bits, 1184 bits, and 1088 bits, respectively.

Table 6. Computation and communication costs.

Protocol	Computation Cost (s)	Communication Cost (bit)
Auth1 in [29]	$17T_H+T_{Fe}+2T_{Ec}+2T_{Dc}\approx 0.0935$	7136
[28]	$19T_H+2T_{PAS}+4T_{PM}\approx 2.0624$	8448
[32]	$19T_H\approx 0.0152$	1800
[20]	$9T_H+4T_{MExp}+T_{Bh}\approx 0.5351$	4520
[35]	$11T_H+2T_{MExp}+T_{Bh}\approx 0.2985$	2688
[8]	$16T_H+8T_{EccM}+2T_{Bh}\approx 0.5278$	4864
[15]	$24T_H+8T_{EccM}+2T_{Bh}\approx 0.5342$	4288
[16]	$17T_H+T_{Fc}\approx 0.0651$	864
[17]	$14T_H+T_{Fc}\approx 0.0627$	1056
[18]	$16T_H+3T_{SE/D}+T_{Fe}\approx 0.1072$	2096
[21]	$20T_H+8T_{EccM}+T_{Bh}\approx 0.4795$	3408
[33]	$16T_H+6T_{EccM}+2T_{Bh}\approx 0.4248$	1568
[22]	$13T_H+6T_{EccM}+2T_{SE/D}+T_{Fe}\approx 0.3852$	1856
[29]	$19T_H+2T_{SE/D}+13T_{PM}+11T_{PAS}+T_{PUF}+2T_{Fe}\approx 6.7519$	4800
Our	$12T_H+T_{Ke}+2T_{En}+2T_{De}+T_{Fe}\approx 0.0908$	4192

shows the comparison of our protocol with other relevant protocols in terms of the computational and communication costs. The table shows that the computational cost of our protocol is lower than those of most other relevant protocols, except protocols in [16,17,32]. The reason for the lower computational cost is that fewer hash functions and a faster KEM are used in our protocol. However, when it comes to communication costs, our protocol fails to demonstrate a clear advantage. The increased communication cost mainly stems from the use of KyberKEM, a lattice-based key encapsulation mechanism that provides post-quantum security. Compared to traditional cryptographic primitives, such as ECC or RSA, lattice-based operations generally involve larger data payloads, especially during key exchange and authentication phases. While this leads to higher communication overhead, it is a necessary trade-off to ensure long-term security in the face of future quantum threats.

Our approach is particularly well suited for medium- to high-security environments where post-quantum resilience is a priority, even at the cost of slightly increased communication overhead. Example application scenarios include the following: Government and military communication systems, where long-term data confidentiality is critical. Healthcare information systems, especially those handling sensitive patient records that must remain secure for decades. Critical infrastructure control systems, where future-proof security is essential despite moderate performance costs. Enterprise-level multi-service access platforms, where users need to access multiple internal services after a single registration, without relying on an online RC.

In summary, our protocol is designed for high-security environments where the benefits of post-quantum security, multi-server support, and offline RC functionality outweigh the need for minimal communication overhead.

6. Conclusions

This paper presents a post-quantum secure multi-factor authentication protocol designed for multi-server architecture and offline RC scenarios. The proposed protocol uses Kyber KEM and an information-theoretically secure fuzzy extractor as building blocks. A formal security analysis shows the semantic security of the proposed protocol in the real or random model. The informal security analysis shows that our protocol can resist various known attacks, including user anonymity, replay attacks, privileged-insider attacks and offline password guessing attacks. The performance analysis reveals that our protocol outperforms most existing multi-factor authentication protocols in computational efficiency and security. Despite a minor increase in communication overhead, this trade-off is offset by improvements in both security and computational performance.