A Secure and Efficient Handover Authentication Protocol for Wireless Networks

Handover authentication protocol is a promising access control technology in the fields of WLANs and mobile wireless sensor networks. In this paper, we firstly review an efficient handover authentication protocol, named PairHand, and its existing security attacks and improvements. Then, we present an improved key recovery attack by using the linearly combining method and reanalyze its feasibility on the improved PairHand protocol. Finally, we present a new handover authentication protocol, which not only achieves the same desirable efficiency features of PairHand, but enjoys the provable security in the random oracle model.


Introduction
In today's world, wireless communication networks are ubiquitous, and mobile handheld devices, such as PDAs, smart phones and laptop PCs, have a wide influence on various aspects of people's lives.
To overcome the restriction of geographical coverage, seamless access services are highly desirable for WLANs and mobile wireless sensor networks (WSNs), but how to ensure the security and efficiency of this process is still challenging. Recently, as a promising seamless access control technology, handover authentication protocols have received much attention [1][2][3][4][5][6][7][8][9][10][11][12]. A handover authentication scenario is always assumed to involve three kinds of parties: mobile nodes (MNs), access points (APs) and the authentication server (AS). An MN is a registered user on AS, who accesses its subscribed services by connecting any AP. An AP acts as a guarantor for vouching for an MN as a legitimate subscriber. When an MN leaves the service area of the current AP (e.g., AP1) and tries to connect a new AP (e.g., AP2), the new AP will start its handover authentication process to identify the MN. If the authentication succeeds, a session key will be built between the MN and AP2 to escort the MN's later access. Otherwise, the requirement for accessing will be rejected by AP2. A promising application of this kind of protocol appears in three-tiered mobile WSNs [13], which consist of a base station, access points, mobile agents and sensor nodes. In the highest layer, the base station works as the AS to deploy access points and to register mobile agents by granting the corresponding authentication keys. The access points are the APs with the task of receiving and verifying the message from the medium layer. The medium layer is composed of the mobile agents, which can be mobile phones, vehicles, men and even animal, acting as the MNs and responsible for gathering data from the sensor nodes in the lowest layer and, then, forwarding to the upper layer.
Recently, He et al. [14] introduced an interesting handover authentication protocol, named PairHand. For improving the communication efficiency and reducing the burden on AS, PairHand only requires two handshakes between MN and AP for mutual authentication and key establishment, instead of relying on the participation of AS. Furthermore, considering the high cost and the inconvenience of revoking users due to using a group signature in the authentication process, PairHand makes its construction directly based on the pairing-based cryptography and uses a pool of shorter-lived pseudonyms to protect users' privacy. Unfortunately, shortly after, He et al. [15] found that there is a serious design weakness in PairHand protocol that enables an adversary to easily obtain the private key from the message transported in the first round of the protocol and presented an improvement by utilizing a composite order bilinear group, claiming that the improved version fixes the security problem without losing any of the desirable feature of PairHand. However, Yeo et al. [16] showed that if an attacker obtains multiple authenticated messages generated with the same pseudo-ID, it will be likely to recover the private key of the mobile node. Furthermore, Yeo et al. [16] and Tsai et al. [17] pointed out another dilemma of the improved version that suggested that the 160-bit composite is insecure, but using a 1,024-bit composite-order group will lead to a great drop in the efficiency. At the same time, Tsai et al. [17] presented a provably secure handover authentication protocol, which solves the above security problem, but increases the size of the public key.
In this paper, we provide a linear combination method to reduce the number of captured signatures corresponding to the same pseudo-ID required by the key recovery attack on the improved PairHand [15]. By repeatedly linearly combining arbitrary two-captured signatures from the same pseudo-ID in a random way, the attacker can compute out the private key of MN with a very high probability. To improve the security without losing the desirable features, we present a new handover authentication protocol that overcomes the security weakness of the original PairHand and achieves the same level of high efficiency. Finally, in the random oracle model, we prove that this protocol enjoys both semantic security and authentication security.

The Bilinear Maps and Complexity Implications
In this section, we briefly recall bilinear maps and some difficult problems that will be used in the followings.
Let G be a cyclic additive group of composite order q and G T be a cyclic multiplicative group of the same order. Let e : G × G → G T be a bilinear map that satisfies the following properties.
• Computability: there exists an efficient algorithm to compute e(P, Q) for ∀P, Q ∈ G.
Computational Diffie-Hellman (CDH) assumption: Given P,aP and bP for some a, b ∈ Z * q , it is computationally intractable to compute the value abP. Bilinear Diffie-Hellman (BDH) assumption: Given P,aP,bP and cP for some a, b, c ∈ Z * q , it is computationally intractable to compute the value e(P, P) abc .

Security Model
Generally, there are two kinds of handovers: a hard handover and a soft handover. The difference between them is that in a hard handover, the former connection with AP1 is broken before the new connection is established between MN and AP2, while in a soft handover, MN can retain the connection with AP1 after building the new connection with AP2. For simplicity, it is assumed that there is no communication among APs and that handover authentication protocols perform in the hard handover model. In the following, we present the formal security model for handover authentication protocols, which follows the approach initiated by Bellare and Rogway [18,19] and modified by Bresson et al. [20].

Communication Model
Protocol participants: In the model, there are two kinds of participants: mobile node MN and access point AP, which have unique identities ID MN and ID AP , respectively. Each instance of a participant (U or V) is molded as an oracle, denoted by Π n MN (Π n AP , respectively), meaning the n-th running instance of the participant MN (AP, respectively).
Protocol execution: In the model, it is assumed that an adversary A fully controls over the communication channels and can create several concurrent instances of the protocol. The public parameters params and identity information are known to all participants, including the adversary. During the execution of the protocol, the interaction between the adversary and the protocol participants occurs only via oracle queries, which models the adversary capabilities in a real attack. At any time, the adversary makes the following queries: (1) Execute(Π n U , Π m V ): This query models passive attacks, where the attacker gets access to honest executions between instances Π n U and Π n V by eavesdropping. The output of this query is the complete transcript that was transported during the honest execution of the protocol.
(2) S end(Π n U , M): This query models an active attack against an MN or AP, in which the adversary sends a message to the instance Π n U . The output of this query is the message that the instance Π n U generates upon receipt of the message M. (3) Reveal(Π n U ): This query models the misuse of session keys. Only if the session key of the instance Π n U is defined, the query is available and returns to the adversary the session key. (4) T est(Π n U ): This query is to measure the semantic security of the session key of instance Π n U : If the session key is not defined, it returns ⊥. Otherwise, it returns either the session key held by the instance if b = 0 or a random number of the same size if b = 1, where b is the hidden bit previously selected at random before the protocol runs. (5) Corrupt(ID U ): This query models the exposure of the long-term secret key. When the adversary makes this query, the oracle returns the private key corresponding to ID U .

Security Definitions
Notation: An instance Π n U is said to be opened if the query Reveal(Π n U ) has been made by the adversary. We say an instance Π n U is unopened if it is not opened. An instance Π n U is said to be accepted if it goes into an accept state after receiving the last expected protocol message.
Partnering: We say two instances Π n U and Π m V are partners if the following conditions are met: (1) they are an MN and an AP, respectively; (2) both Π n U and Π m V are accepted; (3) both Π n U and Π m V share the same session ID sid; (4) the partner identification for Π n U is Π m V and vice versa; and (5) no instance other than Π n U and Π m V accepts with a partner identification equal to Π n U or Π m V . Freshness: If an instance Π n U has been accepted, both the instance and its partner are unopened and they are both instances of honest clients, we say the instance Π n U is fresh. Semantic security: The security notion is defined in the context of executing an ID-based handover authentication protocol P in the presence of an adversary A. During the protocol execution, A is allowed to make multiple Execute, S end and Reveal queries, but at most, one T est query, to a fresh instance of an honest participant. Finally A outputs a bit guess b for the bit b hidden in the Testoracle. The adversary A is said to be successful if b = b. We denote the event by S ucc and define the advantage of A in violating the semantic security of the protocol P as follows: where k is the security parameter and t is the time parameter.
We say a handover authentication protocol P is semantically secure if the advantage Adv A,P (k, t) is negligible.
Authentication security: To measure the security of a handover authentication protocol resisting the impersonation attacks, we consider the mutual authentication between MN and AP. We denote by Auth MN→AP A,P (k, t) (or Auth AP→MN A,P (k, t), respectively) the probability that an adversary A successfully impersonates an MN instance during executing the protocol P, while the target AP (or MN, respectively) does not detect it, where k is the security parameter and t is the time parameter. We say a handover authentication protocol P is mutual authentication secure if both Auth MN→AP A,P (k, t) and Auth AP→MN A,P (k, t) are negligible in the security parameter.

Review of the Protocol
In this section, we review He et al.'s improved protocol [15], which is very similar to the original PairHand and consists of four phases: system initialization, handover authentication, batch authentication and denial-of-service (DoS) attack resistance. The only differences between the two versions appear at the selection of the group order in the system initialization phase and the computation of the hash value of the authentication message in the handover authentication phase, and our attack is exactly to address these two phases. Below, we only review the first two phases of the improved PairHand protocol. For more details, please refer to [14].

System Initialization
The AS randomly chooses a value s ∈ Z * q as the master key and a generator P of G, computes the corresponding public key P pub = sP and selects two cryptographic hash functions H 1 and H 2 , where H 1 : {0, 1} * → G and H 2 : {0, 1} * → Z * q . The resulting public system parameter, params, is {G, G T , q, P, P pub , H 1 , H 2 }, and the private secret of AS is s. For each AP, AS computes H 1 (ID AP ) and sH 1 (ID AP ) as the public and private keys of that AP, respectively, and delivers them to the AP via a secure channel, where ID AP is the identity of the AP.
For the registration of a qualified MN i with real identity ID i , AS generates a family of unlinkable pseudo-IDs PID = {pid 1 , pid 2 , · · · }, computes the public key H 1 (pid j ) and the corresponding private key s · H 1 (pid j ) for each pseudo-ID pid j ∈ PID and, finally, securely sends to MN i all tuples (pid j , sH 1 (pid j )). The use of shorter-lived pseudonyms is to protect each MN's privacy, preventing them from being traced.

Handover Authentication
When an MN, say i, moves into the communication range of a new AP (AP2), a handover authentication process, which is shown in Figure 1, will be performed between MN i and AP2 in the following steps.
(1) MN i firstly picks an unused pseudo-ID pid i from his pseudo-ID family and the corresponding private key sH 1 (pid i ). Then, MN i generates an authentication message as M i = pid i ||ID AP2 ||ts, where ts is a timestamp, which is used to resist against replay attacks and "||" denotes the concatenation of messages and checks whether H 2 (M i ) and q are co-prime or not. If H 2 (M i ) and q are not co-prime, it does nothing; otherwise, it continues to append redundant bits rb into M i until H 2 (M i ) and q are not co-prime. After that, MN i computes the signature σ i = H 2 (M i ) · sH 1 (pid i ) and unicasts the access request message {M i , σ i } to AP2. Finally, MN i computes the session key with AP2 as K i−2 = e(sH 1 (pid i ), H 1 (ID AP2 )). (2) Upon receiving the request message {M i , σ i }, AP2 firstly checks whether the timestamp ts is valid.
(3) Upon receipt of the message {pid i , ID AP2 , Aut}, MN i computes the verification code Ver = H 2 (K i−2 ||pid i ||ID AP2 ) and compares it with Aut. If they are equal, MN i confirms that AP2 is legitimate, and the generated session key is valid. Otherwise, MN i cancels the connection. (4) At last, AP2 securely transports {M i , σ i } to AS. By receiving this message, AS can identify the real identity of MN i according to the pseudo-ID in M i .
After successfully executing the handover protocol, MN i and AP2 share a session key, since Furthermore, the use of a pseudo-ID enables unilateral anonymous authentication for the MN i, and each session is uniquely identified by (pid i , ID AP2 ).

Attack on the Protocol
For the original PairHand protocol, what enables an attacker to recover the private key sH 1 (pid i ) is that when H 2 (M i ) and q are co-prime, he can use the inverse u of The countermeasures of He et al. [15] are to restrict the group order q to be a composite and to append redundant bits into the request message M i to ensure that the resulting H 2 (M i ) and q are not co-prime. By doing this, it seems that the private key sH 1 (pid i ) will not be exposed by the signature σ i , since there is no modular inverse for H 2 (M i ).
However, the following attack will show that He et al.'s improved protocol [15] does not eradicate the design weakness. Our attack is based on the assumption [6] that adversary A has total control over all communication channels between AP2 and MN i. This means that the adversary may intercept, delete or modify any message in the channels. Suppose that MN i requests the service of a new access point AP2 by sending the message (M i , σ) (where M i = pid i ||ID AP2 ||ts||rb and σ i = H 2 (M i ) · sH 1 (pid i )) in a wireless channel, which is dominated by the adversary A. A interrupts the request message, so that MN i will not receive the response from AP2. After a certain delay, MN i will regenerate a new request message (M i , σ i ) and send it to AP2, where M i = pid i ||ID AP2 ||ts ||rb , σ i = H 2 (M i ) · sH 1 (pid i ), ts denotes a new timestamp and rb is a new redundant bit string. Since A controls the whole network communication, it can easily capture the new message. Once the adversary A owns two authentication messages (M i , σ) and (M i , σ i ) corresponding to the same pseudo-ID pid i , it randomly selects two values x 1 , x 2 ∈ Z q and computes: Then, A directly computes β = (x 1 · H 2 (M i )+ x 2 · H 2 (M i ))(modq) by using M i and M i and checks whether β and q are co-prime. If yes, it generates γ = (x 1 · H 2 (M i ) + x 2 · H 2 (M i )) −1 (modq) and computes the private key sH 1 (pid i ) = γ · α. Otherwise, it reselects random values x 1 , x 2 and computes α and β again, until β and q are co-prime.
As q is a randomly generated system parameter, M i and M i are random messages and x 1 and x 2 are randomly chosen from Z p , we can approximately view q and β = (x 1 · H 2 (M i )+ x 2 · H 2 (M i ))(modq) as two independent random numbers. Let {p 1 , p 2 , p 3 , · · · } denote the ascending sequence of all prime numbers, and let p k be the largest prime number less than q. The probability that β is divisible by a prime p i is 1 p i , where i ≤ k, and the same fact holds for q. Therefore, the probability that the two numbers β and q are both divisible by this prime number is 1 , whilst the probability that at least one of them is not is 1 − 1 Thus, the probability of the success of our attack for one time, P success , which is equal to the probability that β and q are co-prime, is: Obviously, a natural way to cope with the above attack is to ensure that each pseudo-ID is used only one time, regardless of whether the AP responds correctly, which will require different signatures to correspond to different pseudo-IDs. As a consequence, it is impossible for an adversary to compute out the private key by using linear combinations of two signatures. However, this countermeasure will largely reduce the availability of the handover authentication protocol and give rise to more serious security problems, as shown as follows. When an MN moves and leaves from the service range of its old AP, it will attempt to connect to and identify a new AP by instantly sending authentication messages. Once a pseudo-ID is used only one time, an attempt to connect will cost one pseudo-ID of the MN, which will cause a great waste on the pseudo-IDs and force the MN to store a much larger number of pseudo-IDs. However, mobile nodes are often lightweight devices and have limited storage spaces, this makes them unable to afford a large number of redundant pseudo-IDs. Additionally, the increase of the number of pseudo-IDs will lead to the growth of the length of pseudo-IDs, which deeply affects the efficiency of the computation and the communication of the whole wireless network. More seriously, if there is an adversary who always interrupts the request authentication message of an MN, the MN will eventually use up all its pseudo-IDs and be out of the service of the system, due to instantly repeating the request. Such an attack can be avoided by using additional precautions, such as delaying the response or introducing exponentially increasing delays after failed attempts and switching to other AP after an excessive amount of failures. However, all of these measures are very costly and can cause more additional risks, which is contrary to the design rational of PairHand.

Our Handover Authentication Protocol
According to the above analysis, the point to overcome the security weakness of the two PairHand protocols is to provide a secure authentication mechanism for the first message transmission. Below, we provide a simple scheme, which not only eliminates the security risks mentioned above, but greatly preserves the desirable efficiency features of the original protocol. Similar to PairHand, the proposed scheme is composed of four phases: system initialization, handover authentication, batch authentication and DoS attack resistance, where the first phase and the fourth phase are the same as those of the PairHand protocol. For the sake of completeness, all of the four phases are fully described in the following.

System Initialization
Let G be a cyclic additive group of composite order q and G T be a cyclic multiplicative group of the same order. Let P be a generator of G and e be a bilinear map e : G × G → G T .
The AS randomly chooses a value s ∈ Z * q as the master key, computes the corresponding public key P pub = sP and selects two cryptographic hash functions H 1 and H 2 , where H 1 : {0, 1} * → G and H 2 : {0, 1} * → Z * q . The resulting public system parameter, params, is {G, G T , q, P, P pub , H 1 , H 2 }, and the private secret of AS is s. For each AP, AS computes H 1 (ID AP ) and sH 1 (ID AP ) as the public and private keys of that AP, respectively, and delivers them to the AP via a secure channel, where ID AP is the identity of the AP.
For the registration of a qualified MN i with real identity ID i , AS generates a family of unlinkable pseudo-IDs PID = {pid 1 , pid 2 , · · · }, computes the public key H 1 (pid j ) and the corresponding private key s · H 1 (pid j ) for each pseudo-ID pid j ∈ PID and, finally, securely sends to MN i all tuples (pid j , sH 1 (pid j )).

Handover Authentication
When an MN, say i, moves into the communication range of a new AP (AP2), a handover authentication process will be performed between MN i and AP2 in the following steps.
(1) MN i firstly picks an unused pseudo-ID pid i and the corresponding private key sH 1 (pid i ) and computes M i = (pid i ||ID AP2 ||ts), where ts is the timestamp. Then, MN i chooses a random value r i ∈ Z * q , which is a nonce, computes R i = r i P and σ i = H 2 (M i ||R i ) · sH 1 (pid i ) + r i P pub and unicasts the access request message M i and its signature pair (R i , σ i ) to AP2. Finally, it computes the session key with AP2 as K i−2 = e(sH 1 (pid i ), H 1 (ID AP2 )).
(2) Upon receiving the message {M i , r i , σ i }, AP2 checks the timestamp ts. If invalid, the request is rejected. Otherwise, AP2 verifies if e(σ i , P)=e(H 2 (M i ||R i )H 1 (pid i ) + R i , P pub ). If true, AP2 computes the session key K 2−i = e(H 1 (pid i ), sH 1 (ID AP2 )) and the authentication code Aut = H 2 (K 2−i ||pid i ||ID AP2 ) and, then, sends the tuple {pid i , ID AP2 , Aut} to MN i. The handover authentication phase of the proposed scheme is also shown in Figure 2.

Batch Authentication
A mass of signature verifications is likely to cause the potential bottleneck at APs. Batch authentication [14] is a desirable feature to solve the problem, which allows APs to verify multiple signatures simultaneously. Its advantage lies in that the total computation cost in the verification performed by APs can be apparently reduced.
Our protocol still enjoys the batch authentication feature. Suppose n request messages {M 1 , R 1 , σ 1 }, {M 2 , R 2 , σ 2 }, · · · , {M n , R n , σ n }, come simultaneously from n distinct MNs, MN 1, MN 2, · · · , MN n, respectively. The target AP can perform a batch verification on these n signatures as follows: From the above equation, it is obvious that the computation cost of verifying n signatures is dramatically reduced to n point multiplication and two pairing operations by using the batch processing.

DoS Attack Resistance
In the handover authentication circumstance, DoS attack is an attempt to exhaust the resources of AP and AS and make them unavailable to its intended partners. A usual manner adopted by the adversary is to inject bogus access requests to the networks, forcing the APs to perform expensive cryptographic verifications and eventually exhaust their resources.
The proposed scheme still adopts the polynomial-based lightweight verification of PairHand [14] to resist the DoS attack. In the system initialization phase, AS randomly generates a bivariate t-degree polynomial f (x, y) = t i, j=0 a i j x i y j over a prime field F p , such that f (x, y) = f (y, x). When MN i registers to AS, for each pseudo-ID pid i , AS computes f (pid i , y), which is a polynomial share of f (x, y), and then securely transmits them to MN i. Furthermore, AS computes and deliveries f (ID AP , y) to each AP, where ID AP is the identity of the AP. As the evaluation of the polynomial is very fast [14], each AP can perform a lightweight verification on the access request from MN i by checking f (pid i , ID AP ) where the former is computed by MN i with f (pid i , y) at point ID AP and the later is done by the AP with f (ID AP , y) at point pid i . Once an AP is under attack, it starts the above measure, adding "Yes" and its identity into the beacon messages. As a result, DoS attack can be effectively mitigated, since each AP can promptly verify the authorized user with the communication key before conducting expensive cryptographic verifications.

Security Analysis
Theorem 1. Assume hash functions H 1 and H 2 are random oracles. Let A be a probabilistic polynomial time Turing machine. Let Q s , Q 1 and Q 2 respectively denote the number of queries that A can ask of the Sendoracle, the number of queries that A can ask of the H 1 random oracle and the number of queries that A can ask of the H 2 random oracle. If the attacker A can successfully violate the MN-to-AP authentication security of the protocol within time T, with probability ε ≥ 10(Q s + 1)(Q s + Q 2 )/q, then another probabilistic polynomial time Turing machine B can be built to utilize A to break the CDH problem in expected time T ≤ 120686Q 2 1 Q 2 T/ε. Proof. Suppose that the attacker B is given a challenging CDH triple (P, aP, sP) and its goal is to compute asP. B runs A as a subroutine and simulates the environment for attacking the protocol. According to the challenging instance, B provides A the public parameters (G, G T , e, q, P, P pub , H 1 , H 2 ), such that P pub = sP.
Without loss of generality, we assume that for any pseudo-ID, the adversary A invokes H 1 , H 2 , S end, Execute and Corrupt at most once. To provide consistent responses for these queries, B maintains two lists L H 1 and L H 2 , which are initially empty. H 1 -query: When A invokes an H 1 query for pid i , B checks whether pid i = pid U . If yes, B returns aP. Otherwise, B returns a randomly selected value h ∈ G and appends < pid i , h > into the list L H 1 . H 2 -query: When A invokes an H 2 query for messages (m, R), B returns a random number t ∈ Z * q and stores < m, R, t >. Corrupt-query: If the queried pseudo-ID is legal and is not equal to pid U , B searches the corresponding item in the list L H 1 according to the pseudo-ID and then returns the secret key. Otherwise, B returns ⊥. Execute-query: This query is responded to by invoking the corresponding S end queries. Send-query: When A invokes a send(Π n i , m) query, simulator B extracts pid i involved in the query and uses it to invoke query H 1 . Then, B randomly chooses r i , t ∈ Z * q , computes σ i = r i P pub , R i = r i P − tH 1 (pid i ) and stores the item < m, R i , t > in the list L H 2 . Finally, it outputs (pid i , R i , σ i ). If there is no collision of queries to the random oracle during the process, B can successfully simulate the protocol environment in front of A, due to the fact that the probabilities of the duple (α, β, γ, δ), such that β ∈ Z * q , α, γ, δ ∈ G and e(γ, P) = e(βα + δ, sP) appear, the following two distributions Γ and Γ are the same.
According to the Forking lemma [21], if A outputs a valid authentication message tuple (pid U , m, σ, R), after a polynomial replay of the attacker A with the same tape, but different choices of H 2 , B obtains two valid message tuples (pid U , m, σ = tsaP + rsP, R = rP) and (pid U , m, σ = t saP + rsP, R = rP) with t t and eventually resolves the CDH challenge by computing asP = (σ − σ )/(t − t ).
Additionally, the probability of that the two forged authentication messages correspond to pid U is 1/Q 2 1 . As a result, the upper bound of the expected time for breaking the CDH problem will be expanded Q 2 1 -times the one in the Forking lemma. Theorem 2. Assume hash functions H 1 and H 2 are random oracles. Let A be a probabilistic polynomial time Turing machine. If the attacker A can successfully violate the AP-to-MN authentication security of the protocol, then another probabilistic polynomial time Turing machine B can be built to utilize A to break the BDH problem.
Proof. Let (P, aP, bP, sP) be the BDH instance provided to the simulator B. To simulate the attacking environment for A, B publishes the public parameters (G, G T , e, q, P, P pub , H 1 , H 2 ), such that P pub = sP and maintains two hash lists L H 1 and L H 2 , which are initially empty. Without loss of generality, we assume that for any pseudo-ID or AP identity, the adversary A invokes H 1 , H 2 , S end, Execute and Corrupt at most once. Let Q M and Q A be the number of queries that A can ask of the random oracle H 1 for MN nodes and the number of queries that A can ask of the random oracle H 1 for AP nodes, respectively. B guesses the target session between the MN pid U and the AP ID V , which are randomly chosen. H 1 -query: If A makes an H 1 query for pid U , B returns aP. If the query is for the AP identification ID V , B returns bP. Otherwise, B returns a randomly selected value h ∈ G and adds < pid i , h > or < ID V , h > into the list L H 1 . H 2 -query: When A invokes an H 2 query for messages M, B chooses a random number t ∈ Z q , stores < M, t > the list L H 2 and then returns it.
Corrupt-query: If the queried identity is legal and is not equal to pid U and ID V , B searches the corresponding item in the list L H 1 according to the identity and then returns the secret key. Otherwise, B returns ⊥. Execute-query: This query is responded to by invoking the corresponding S end queries. Send-query: There are two types of S end queries: MN-to-AP and AP-to-MN, denoted by S end1 and S end2, respectively. B answers them by invoking the H 1 and H 2 queries.
• If the query is S end1, simulator B randomly chooses r i , t ∈ Z * q and computes σ i = r i P pub , R i = r i P − tH 1 (pid i ) by invoking H 1 queries with ID i . Then, it adds the item (m, R i , t) in the list L H 2 and outputs message tuple (pid i , R i , σ i ).
• If the query is S end2, simulator B checks whether e(σ i , P)=e(H 2 (M i ||R i )H 1 (pid i ) + R i , P pub ).
If false, B outputs "⊥". Otherwise, B chooses a random value k ∈ G T and computes aut = H 2 (k||pid i ||ID j ) by making the H 2 query. Finally, it returns the message tuple (aut||pid i ||ID j ).
The success of B breaking the BDH problem denotes the event that pid U and ID V are partners and A asks the H 2 query with a tuple (K||pid U ||ID V ) where K = e(P, P) abs . According to the above simulation, the probability that pid U and ID V are partners is 1/Q M Q A . Therefore, if A outputs a valid authentication message with probability ε, the probability of the success of B is less than ε/Q M Q A . Theorem 3. Assume hash functions H 1 and H 2 are random oracles. If the protocol enjoys the mutual authentication security, it is also semantically secure.
Proof. To prove the semantic security for the protocol, we apply the same simulation way used in proving Theorem 2. Let F 1 (or F 2 , respectively) denote the event that the attacker successfully forges an MN-to-AP (or AP-to-MN, respectively) authentication message. Let S 0 (or S 1 , respectively) denote the event that in the real (or simulated, respectively) attacking game, the attacker successfully guess the challenge bit involved in the T est oracle. If both the events F 1 and F 2 do not happen, the real and simulated games proceed identically, and we get the following equation: On the other hand, it is obvious that in the simulation, the attacker cannot obtain any information about the protocol session key, since the session key is a randomly chosen value not related to any message transported in the public information channel. This means that the attacker can only guess the hidden bit, so that Pr[S 1 ] = 1/2. Following the difference lemma [22], we get According to the definition of the semantic security for the protocol, then we have Adv A,P (k, t)

Performance Comparison
Compared with the existing handover authentication protocols, the proposed protocol has the advantage in communication, computation and security. For those protocols prior to PairHand [1][2][3][4][6][7][8][9][10]12], its superiority comes through the low burden on AS, the two-run handshakes between MN and AP, the batch authentication and the privacy protection for MN. To evaluate its advantage over the post-PairHand protocols [14,15,17], we mainly consider its performance superiority on secret key size, computational cost and security features. In Table 1, we present the comparison results on these aspects among He et al.'s improved PairHand [15], Tsai et al.'s [17] protocol and our scheme. For computational cost, we focus on the time spent on the high cost operations, such as the time spent on the paring operations (T p ), the time spent on the multiplications on the elliptic curve (T m ) and the time spent on the search for non-co-primes (T s ), while the time spent on highly efficient operations, such as the hash function and the scalar addition on the elliptic curve, is neglected. The estimate of the time consumption at an MN is based on He et al.'s work in [14,15], where by using the MNT curve with the order of 160 bits and the degree k = 6 and the MIRACL and PBC libraries (c/c++), an MN runs on an 800 MHz processor. To evaluate the length of the messages transmitted in the protocol execution, we assume that the lengths of pid i , ts and ID AP2 are four, two and four bytes, respectively. We notice that the computational time of our protocol and Tsai et al.'s protocol are much lower than He et al.'s protocol, due to their prime-order work groups. This is because the composite order in He et al.'s protocol should be at least 1024-bit to be infeasible to factorize, while a 160-bit prime order is enough to achieve the same security level. An estimation [23] shows that the composite-order pairing is roughly 50-times slower than its prime-order counterpart. For security, both our scheme and Tsai et al.'s protocol enjoy provable security, but He et al.'s protocol does not. In terms of the secret key size, our protocol is superior to Tsai et al.'s protocol and is the same as the original PairHand protocol [14]. As a result, our scheme can be easily implanted to the running environment of the original PairHand protocol without any change to the public and private parameters.

Conclusions
In this paper, in reviewing the PairHand family protocols, we present a stronger key recovery attack on an improved PairHand protocol, which requires less signatures to be generated with the same private key compared with the existing attacks. Consequently, we present a new handover authentication protocol and prove its security in the random oracle model. Compared with the two latest handover authentication protocols, the proposed protocol has the advantages of efficiency and security.