A User Authentication Scheme Based on Elliptic Curves Cryptography for Wireless Ad Hoc Networks

The feature of non-infrastructure support in a wireless ad hoc network (WANET) makes it suffer from various attacks. Moreover, user authentication is the first safety barrier in a network. A mutual trust is achieved by a protocol which enables communicating parties to authenticate each other at the same time and to exchange session keys. For the resource-constrained WANET, an efficient and lightweight user authentication scheme is necessary. In this paper, we propose a user authentication scheme based on the self-certified public key system and elliptic curves cryptography for a WANET. Using the proposed scheme, an efficient two-way user authentication and secure session key agreement can be achieved. Security analysis shows that our proposed scheme is resilient to common known attacks. In addition, the performance analysis shows that our proposed scheme performs similar or better compared with some existing user authentication schemes.

communication, and so on. However, the WANET is vulnerable to various attacks due to the absence of infrastructure support [1]. Security of the WANET is critical for its deployment and management. Moreover, the user authentication is the first safety barrier in a network. That is, each node needs to ensure that the peer node with which it is communicating is he/she claims. On the other hand, wireless devices have limited computation capability, memory and energy. For the resource-constrained WANET, an efficient and lightweight user authentication scheme is necessary.
Many user authentication schemes have been proposed for the WANET in recent years. In [2], Bechler, M. et al. proposed a cluster-based user authentication scheme, where a cluster head controls the cluster. Since the cluster structure is useful for enhancing the scalability, the cluster-based authentication scheme is more suitable for large-scale networks. However, this scheme is exposed to the single point of failure since all cluster members depend on the cluster head. A distributed key management and user authentication approach is proposed in [3], where the concepts of identity-based key cryptography and threshold secret sharing are used. This approach works in a self-organizing way to provide the key generation and management service, and effectively solves the single point of failure problem. However, the security is breached when a threshold number of shareholders are compromised. Other user authentication schemes were proposed in [4] and [5], where a certificate server (CS) is used to issue user's certificate and public key. In addition, users perform the identity authentication with the assistance of CS. However, the CS is hard to be set up because of the dynamics of nodes in WANETs. Moreover, if the identity authentication needs the help of CS, the storage and management requirements of certificates increase the burden for CS.
Most user authentication schemes mentioned above use the public key infrastructure (PKI) [6] or the identity-based public key cryptosystem (ID-PKC) [7]. However, the high complexity for certificates in PKI increases the system burden greatly. In addition, the key escrow problem of ID-PKC is also a serious problem.
Unlike the prior work, the self-certified public key (SCPK) cryptosystem [8] is another kind of scheme. In this scheme, certificate authority (CA) embeds its signature in user's public key, and computes user's private key cooperatively with users. The advantage of the SCPK scheme is that the authenticity of a user's public key can be verified publicly without using any certificate issued by the CA and the private key known to the user only. Hence, this scheme does not need the digital certificates as in the PKI scheme, as well as avoids the key escrow problem of the ID-PKC scheme.
Compared with RSA, one of most widely accepted and traditional public key cryptographies, elliptic curves cryptography (ECC), has attracted considerable attention due to its smaller key size and lower resource consumption for achieving the same security level. This is because the addition operation in ECC is the counterpart of modular multiplication in RSA, and multiple addition is the counterpart of modular exponentiation. Furthermore, ECC is based on the intractability of the elliptic curve discrete logarithm problem (ECDLP). That is, finding an effective and rapid solution to the ECDLP is still a hard problem [9].
Hence, the user authentication scheme based on SCPK and ECC is a feasible alternative for resource-constrained wireless networks, such as WANET, mobile ad hoc networks and wireless sensor networks. Several user authentication schemes using SCPK and ECC have been proposed [10][11][12]. In [10], a distributed user authentication scheme based on SCPK was presented. In this scheme, each user gets his/her public/private key from CA through a secure communication channel. However, providing a secure communication channel in a wireless network is not a trivial thing. A user authentication and key agreement scheme was proposed in [11], where the timestamp mechanism is used to resist the replay attack. However, it is a difficult task to maintain time synchronization in a WANET. In addition, the session key cannot resist key compromise impersonation attack in this scheme. In [12], a novel self-certified secure access authentication protocol was proposed. In this scheme, a challenge-response mechanism is adopted to resist the replay attack. However, the user's private key can be compromised easily.
In this paper, we propose a user authentication scheme based on SCPK and ECC for a WANET. In order to reduce the computational complexity, the SCPK proposed in [13] is modified using ECC. The proposed user authentication scheme consists of three phases, namely the setup phase, the user registration phase, and the user authentication phase. CA selects and generates the global system parameters, and publishes them to the whole network in the setup phase. Users register with CA to obtain the private/public key pairs for authentication in the user registration phase. In the user authentication phase, users complete their identities authentication using their private/public keys and the CA's public key. Finally, we analyze the performance of the proposed user authentication scheme, in terms of the security, the storage overhead, the communication overhead and the computation overhead. Analysis results show that our proposed scheme achieves efficient two-way user authentication and secure session key agreement. Hence, the proposed scheme is efficient, and suitable for the resource-constrained WANET.
Our proposed user authentication scheme differs from other existing user authentication schemes in [10][11][12] are: (1) A secure communication channel for distributing user's public/private key does not need; (2) A modified challenge-response mechanism is adopted to resist the replay attack; (3) The authentication mechanism between user and CA in the user registration phase is used to resist the user masquerade attack.
The remainder paper is organized as follows. In Section 2, the system model for the proposed user authentication scheme is introduced. In Section 3, the proposed user authentication scheme based on SCPK and ECC is presented. The security and performance of the proposed scheme are analyzed in Sections 4 and 5, respectively. Finally, we conclude the paper in Section 6. Figure 1 shows the system architecture for our proposed user authentication scheme. In this system, a CA is deployed to generate user's private/public key pairs cooperatively with users. Each user knows the public key of the CA. With the public key of CA, each user can verify the peer user's identity with whom he/she is communicating.

System Model
To clarify the proposed user authentication scheme, notations and their denotations are summarized in Table 1.  The finite field a, b The elliptic curve parameters, real numbers The elliptic curve over GF(p) consisting of the elliptic group of points defined by 2 3 (mod )

The Proposed User Authentication Scheme
In this section, a user authentication scheme based on SCPK and ECC for a WANET is presented. The proposed scheme is divided into three phases, namely the setup phase, the user registration phase, and the user authentication phase. In the setup phase, CA generates the system parameters and publishes them to users. In the user registration phase, users obtain their private/public key pairs by registering with CA. In the user authentication phase, users complete their identities authentication with the help of their private/public keys and the public key of CA.
The detail of the proposed user authentication scheme is described as follows.

The Setup Phase
We adopt an elliptic curve defined over GF(p) is recommended by SEC 2 [14]. First, the elliptic curve Ep(a, b) over GF(p) is defined by 2 3 (mod ) y x ax b p = + + , where a and b are real numbers, and 3 2 (4 27 ) mod 0. a b p + ≠ Next, a base point G = (xG, yG) with a very large value order is selected on Ep(a, b). The order of G, n, is the smallest positive integer such that n G O ⋅ = , where O is infinity point. The global parameters of the system, (p, a, b, G, n), are known by all users in networks.
CA randomly chooses an integer CA s , from [2, n−2] as its private key. In addition, CA's paired public key is generated with: And then, CA publishes PCA to the whole network, but keeps CA s as a secret.

The User Registration Phase
When a user, Ui with identity IDi, wants to join the system, he/she performs the following operations to register with CA.
First, Ui generates a nonce, Ni, using a pseudo-random number generator (PRNG), and randomly chooses an integer, i r′ , from [2, n−2]. Then, Ui computes: And: After that, Ui transmits Message 1 ( , , ) ′ from Ui, CA checks whether the message is fresh according to Ni. If the message has been received, CA discards it and cancels the user registration. Otherwise, CA computes: The user's identity is extracted by: CA checks IDi. If IDi has existed, CA cancels the user registration. Otherwise, CA randomly chooses an integer CA r from [2, n−2], and computes: And: where .
i R x is the x-coordinate of the point Ri. CA generates a nonce, CA N , using a PRNG, and returns Message 2 And Ui verifies the authenticity of Pi by: If this verification succeeds, Ui accepts Pi as his/her public key.
In the following, we demonstrate why the verification procedure described in (9) works correctly. According to Equations (6)-(8), we obtain: , CA cancels the user registration.
The interaction diagram of the user registration phase mentioned above is shown in Figure 2. Figure 2. The user registration phase.
After Ui finishes the registration successfully, he/she stores (Ri, IDi, si, Pi). Other users can use G, n, PCA, Ri and IDi to construct the public key of Ui, Pi.

The User Authentication Phase
The user authentication and session key agreement between Alice and Bob operates as follows, where Alice is an initiator and Bob is a responder.
Alice wants to set up a session key with Bob securely.
Step 1: First, Alice generates a nonce, A N , using a PRNG, and randomly chooses an integer, A r , from [2,2] n − . Next, Alice computes A A C r G = ⋅ Then,Alice generates a signature using her private key as: Thereafter, Alice sends Step 2: Receiving the message from Alice, Bob performs the following operations.
(1) According to A N , Bob checks whether the message is fresh or not. If the message is fresh, Bob goes on the user authentication process. Otherwise, Bob rejects Alice's authentication request.
(2) Bob computes Alice's public key as: Bob verifies the Alice's signature as: If the signature is valid, Alice is a valid user and Bob continues the user authentication process. Otherwise, Bob cancels the user authentication process.
(3) Bob generates a nonce B N , using a PRNG, and randomly chooses an integer B r , from [2,2] n − . Next, Bob computes B B C r G = ⋅ . Then, Bob computes the session key, and the message integrity code, Finally, Bob sends

N C ID ID R MIC
to Alice.
Step 3: Receiving the response from Bob, Alice executes the following operations.
(1) According to A N , Alice checks whether the message is fresh or not. If the message is fresh, Alice continues the user authentication process. Otherwise, Alice cancels the user authentication process. , Bob regards that Alice has verified his identity. At the same time, the session key agreement is successful, and the session key can be used for future communication.
The interaction diagram of the user authentication phase mentioned above is illustrated in Figure 3. The overall process of the proposed user authentication scheme is illustrated in Figure 4.

Security Analysis
The security of the proposed user authentication scheme is based on the intractability of reversing ECDLP and one-way hash function problem (OWHFP).
Let Ep(a, b) be an elliptic curve over GF( ) p . P is a point with order n on the elliptic curve Ep(a, b). Q is another point on the same curve.
The ECDLP is to determine m satisfying Q m P = ⋅ with given P and Q, which is difficult. Let h be a one-way hash function. Given ( ) h x , it is computationally infeasible to find x. Furthermore, for a given value x and ( ) h x , it is computationally infeasible to find a y such that

Generate Choose
Compute and

Theorem 1. The proposed user authentication scheme is secure against user masquerade attack, message-forgery attack, impersonate attack from CA in user registration phase.
Proof.
(1) User masquerade attack resistance We assume that an adversary (Eve) intercepts the legal user's registration information and attempts to masquerade the legal user ( U i ) to join in the network. However, Eve will be faced with some difficulties in following scenarios.
Although ) to CA without the knowledge of i r′ . Although Eve gets i ID , he attempts to re-register with CA on the purpose of masquerading a valid user. Even if this attack is successful, the attack can be easily detected. This is because CA is convinced that the user has verified the authenticity of his public key since receiving Message 3. And CA stores the user's registration information in the registration file. As a registration request is accepted, CA will check the submitted user's identity information of the user in the registration file to prevent the re-registration attempt.
Therefore, our proposed scheme can resist the user masquerade attack.
(2) Message-forgery attack resistance ), satisfying (9), CA can impersonate U i . However, this fraud can be detected by U i because two different valid keys exist. It can prove that CA is cheating. Therefore, our proposed scheme can resist the impersonate attack from CA.

Security Analysis in User Authentication Phase
Theorem 2. The proposed user authentication scheme achieves mutual trust, and is secure against man-in-the-middle attack, replay attack, masquerading and tampering attacks in user authentication phase.

Proof.
(1) Mutual trust The signature of the message sent by Alice is generated in Step  Therefore, the proposed scheme provides the two-way authentication between Alice and Bob.
(2) Man-in-the-middle attack resistance In the user registration phase, it prevents from the re-registration attempt so that adversaries can hardly masquerade other valid users to perform the man-in-the-middle attack.
In the user authentication phase, the proposed scheme exchanges A A solving the ECDLP is computationally infeasible. Therefore, the proposed scheme can resist man-in-the-middle attack.
(3) Replay attack resistance Two types of replay attacks are considered. Type-I replay attack is defined as an adversary intercepts an authentication message and attempts to masquerade as a sender by replaying it without modifying any content of the authentication message. Type-II replay attack is defined as an adversary intercepts an authentication message and replays a forged authentication message modified from the original one.
Since the proposed scheme uses the nonce to ensure the fresh of message, the type-I replay attack will be excluded by checking the nonce. If Eve intercepts the message , , ) N C ID ID R signature and replays it to impersonate Alice, Bob checks whether the message is fresh or not according to NA. If the nonce has been received, Bob discards the message.
In order to pass the authentication of Alice, Eve must change the nonce. It is assumed that Eve only changes the nonce from NA to A N ′ in . The message verification does not hold since Eve needs to have the private key of Alice, PA, to generate a new signature. It is not possible because solving the ECDLP is intractable. In the same way, an adversary impersonating Bob cannot pass the authentication. Hence, the nonce cannot be forged in the proposed scheme, which means that the proposed scheme is also resistant to the type-II replay attack. Therefore, the proposed scheme can resist the replay attack.

(4) Masquerading and tampering attacks resistance
It is assumed that an adversary (Eve) intercepts an authentication message and replays it to masquerade as a valid user.
Eve intercepts an authentication message sent by Alice and attempts to masquerade as Alice by launching the type-I replay attack. After Bob receives the authentication message, he will check whether the message is fresh or not according to NA. If the nonce has been received, Bob discards the message. On the other hand, Eve intercepts an authentication message and launches the type-II replay attack. It is difficult to succeed since Eve needs to use PA to generate a new signature. Computing A s from is not possible because solving the ECDLP is computationally infeasible.
It is assumed that an adversary (Eve) intercepts the message , , ) N C ID ID R signature and attempts to tamper the message. This action will not pass the user authentication of Alice. As explained in the replay attack resistance, Eve needs to use PA to generate a new signature. Hence, Eve encounters the intractability of solving the ECDLP. In addition, the one-way hash function is adopted in the user authentication phase to guarantee the integrity of message, which contains the session key generated by Alice and Bob's private keys. Computing ( A s , B s ) from ( A P , B P ) is not possible because solving the ECDLP is computationally infeasible. Therefore, the proposed scheme can resist the masquerading and tampering attacks.

Theorem 3.
Based on the difficulty in solving the ECDLP, the proposed user authentication scheme provides perfect forward secrecy, backward secrecy, key compromise impersonation attack resistance, known-key security, unknown key-share resistance, and known session-specific temporary information attack resistance.

Proof.
(1) Perfect forward secrecy and backward secrecy It is assumed that the private keys, A s and B s , are compromised, and an adversary (Eve) attempts to compute the key AB Here, the forward secrecy is achieved by means of the term A B r r G ⋅ ⋅ . However, in order to compute the session key, Eve needs the knowledge of the random values, A r and B r . Solving A C and B C to get A r and B r is equivalent to the problem of solving ECDLP. In addition, the session key relies on the random values, A r and B r , which are generated in each session independently and changed for each authentication phase. Furthermore, another important aspect of our proposed scheme is that the session key is protected by the secure hash function. Although an adversary obtains a certain period session key, he/she cannot use the current session key to get forward and backward session keys. Hence, the session key in the proposed scheme achieves perfect forward secrecy and backward secrecy.
(2) Key compromise impersonation attack resistance As defined in [15], the key compromise impersonation attack resistance is that an adversary (Eve) can masquerade as Alice if Alice's private key is compromised, while Eve cannot masquerade as another user to interact with Alice.
It is assumed that the long-term private key of Alice, A s , is compromised and known to Eve. Obviously, Eve can impersonate Alice using A s . However, to impersonate any other user (Bob) to interact with Alice, Eve would need the session key, BA SHA r C r P r P s P = ⋅ + ⋅ + ⋅ + ⋅ . Thus, Eve needs to have the private key of Bob, B s , or the random value generated by Alice, A r . Solving PB and CA to get B s and A r is equivalent to the problem of solving ECDLP. In addition, in most circumstances, the private key of a user is updated periodically. Hence, the key compromise impersonation vulnerability can be limited to some considerably low extent.
(3) Known-key security The proposed scheme achieves the known-key security if the knowledge of previous generated session keys does not allow an adversary to compromise the past or future session keys.
It is assumed that a session key generated by the proposed scheme is obtained by an adversary (Eve). Eve cannot derive all past and future session keys from the knowledge of the compromised session key. To derive a session key, Eve has to compute ( A r , B r ) and ( A s , B s ) from ( A C , B C ) and ( A P , B P ), respectively. It is not possible because solving the ECDLP is computationally infeasible.
(4) Unknown key-share resistance A key agreement protocol achieves unknown key-share attack resistance if a user cannot be forced to share a session key with a different user rather than the one intended without their knowledge. That is, Alice cannot be forced to share a key with Eve when Alice believes that the key is shared with Bob.
In the user authentication phase of the proposed scheme, Bob sends a message to Alice, Therefore, the proposed scheme resists the known session-specific temporary information attack.

Performance Analysis
In this section, we analysis the performance of the proposed user authentication scheme, in terms of security, storage overhead, communication overhead and computation overhead.
(1) Attack resistance and functionality The attack resistance and functionality of the proposed user authentication scheme are compared with other three schemes, namely Diffie-Hellman key agreement scheme in [4] (abbreviated as DHKA scheme), the user authentication phase of secure MAC protocol for cognitive radio networks in [5] (abbreviated as SecureMAC protocol), and authentication and key agreement scheme in [11] (abbreviated as AKA scheme).
The comparison results are listed in Table 2. From Table 2, we observe that our proposed user authentication scheme provides two-way user authentication and session key agreement. However, SecureMAC protocol in [5] does not achieve the session key agreement. Table 3. Storage overhead of each user.

Parameters
Storage Overhead (bits) The parameters of ECC, (p, a, b, G, n) 960/(160 + 160 + 160 + 320 + 160) CA's public key, P CA 320 Point R i 320 User identity, ID i 160 User's private key, s i 160 User's public key, P i 320 Total 2240 The total storage overhead is only 2,240 bits, which is quite suitable for resource-constrained wireless network.
For security, the private key of Ui, si, needs to be stored in the form of ciphertext, and the public key of Ui, Pi, and other parameters, (p, a, b, G, n, PCA, Ri, IDi) are stored in the form of plaintext. Since other users can use n, PCA, Ri and IDi to construct the public key of Ui, Pi, users does not need to store the public keys of other users with whom he/she is communicating. In addition, since the generated session key between two users is temporary, it does not need to be stored.

(3) Communication overhead
Let the length of nonce be 64 bits, and the hash value of the one way hash function is 256 bits. The communication overhead in the user authentication phase of our proposed scheme is listed in Table 4. Table 4. Communication overhead of each user.

Message Communication Overhead (bits)
Step 1 1184 Step 2  1344  Step 3  640  Total  3168 From Table 4, it is obvious that the communication overhead in the user authentication phase of our proposed scheme is relatively light.

(4) Computation overhead
The computational complexity is analyzed in detail and compared with some other user authentication schemes, namely DHKA scheme in [4], AKA scheme in [11], time stamp mechanism and key management scheme in [16] (abbreviated as TSMKM scheme), authentication scheme based on bilinear pairings) in [17] (abbreviated as BP-A scheme), ECC-based authentication key agreement scheme in [18] (abbreviated as ECC-AKA scheme), and ECC-based improved authentication key agreement scheme in [19] (abbreviated as ECC-IAKA scheme).
The notations of various operations and the denotations used in this subsection are listed in Table 5.

Conclusions
The WANET will play an important role in the next generation wireless networking. In addition, security issue is critical to deploy and manage WANETs. Furthermore, the user authentication is the first safety barrier in a network.
We proposed a user authentication scheme based on SCPK and ECC for the WANET, in which an efficient two-way user authentication and a secure session key agreement are achieved. Based on the security and performance analysis, our proposed scheme resists various common known attacks, such as man-in-the-middle attack, replay attack, masquerading and tampering attacks, as well as achieves lower storage, communication, and computation overheads. Therefore, the proposed user authentication scheme based on SCPK and ECC is efficient and suitable for the resource-constrained WANET.