A Lightweight Anonymous Client–Server Authentication Scheme for the Internet of Things Scenario: LAuth

The Internet of Things (IoT) connects different kinds of devices into a network, and enables two-way communication between devices. A large amount of data are collected by these devices and transmitted in this network, it is necessary to ensure secure communications between these devices, to make it impossible for an adversary to undermine this communication. To ensure secure communication, many authentication protocols have been proposed, in this study, a fully anonymous authentication scheme for the Internet of things scenario has been proposed, it enables the remote client to anonymously connect to the server and being serviced by the server. The proposed scheme has been verified by AVISPA and BAN Logic, and the result shows that it is safe. Besides, the simulation shows that the proposed scheme is more efficient in computation cost and communication cost.


Introduction
The Internet of Things is a network that connects all kinds of sensors, actuators, and other embedded devices. These devices can exchange data remotely via the network. A significant amount of data are collected by these devices and transmitted in this network. Among these data, there are many personal data, for example, blood pressure, pulse, and electrocardiogram, as well as home environment data, home humidity, and home temperature, etc. People are reluctant to let any party use the data without authorization. There is a need for an authentication scheme to make sure that the data is only accessible to authorized members. Authentication schemes have been studied in the past to solve this problem.
However, in some cases, mutual authentication is not sufficient for protecting the privacy of the clients. In the healthcare environment, an adversary can eavesdrop the information flow and find out which patient's data is being transmitted. The client's medical condition is revealed in this way. In this study, a light weighted authentication and key establishment scheme was proposed, which enables the remote client to be authenticated anonymously by the server. In the proposed scheme, we only used some light weighted security operations: XOR operations, hash functions and a minimal amount of asymmetric encryptions to fulfill perfect forward secrecy, as discussed in the previous work, these operations are relatively light weighted ones, we will continue to discuss this problem in Section 7.1. As energy consumption is of paramount importance in the context where energy are provided by small batteries, there is a high demand for a lightweight authentication scheme [1,2]. For these two reasons, we come up with this authentication scheme. Our contributions are mainly three-fold: We propose a lightweight anonymous authentication for the Internet of things scenario; the scheme achieves various security features: perfect forward privacy, user anonymity, resistance to an offline dictionary attack, etc. In addition, to verify the security features of the proposed scheme, the proposed scheme is also verified by AVISPA and the BAN Logic.

2.
We specially design the password changing phase, making it more efficient compared to that in the related works. 3.
We simulate the proposed scheme and other related schemes using C++. The results show the communication cost and the computation cost are reduced compared with related proposals.
In Section 2, we discussed the related works, in Section 3, we introduced the proposed scheme, Sections 4 and 5 are security analyses using AVISPA and BAN logic, Section 6 is the formal security analysis section. In Section 7, we compared the proposed scheme with related works. In Section 8, we analyzed the security features. Section 9 is the conclusion part.

Related Work
Tu et al. proposed an authentication protocol based on a smart card; the protocol is a two-factor authentication scheme based on an elliptic curve [3]. However, this scheme is found to be vulverable to impersonation attacks; an attacker can impersonate as a legal server according to Farash [4]. Ibrahim et al. proposed secure anonymous mutual authentication for star two-tier wireless body area networks [5]. Chaudhry et al. proposed a remote user authentication scheme using elliptic curve cryptography that can withstand various attacks in the internet of things scenario, for example, smart card lost attack, replay attack [6]. Kumari analyzed the scheme of Farash [7], and they found that Farash's scheme is vulnerable to various attacks, for example, impersonation attack, password guessing attack and temporary session specific information reveal attack, etc.
Jing et al. proposed an authentication between user and server, which could protect well the identity privacy of the user [8], however, their scheme requires extra storage capacity at the server side. In the scheme of Xiong [9], only registered users can authenticate each other and build a shared key, besides, this shared key is only known by the two registered users and the network manager could not know this shared key. According to the public information transmitted between the two users, an adversary is unable to learn this shared key. The scheme of Jing et al. is a scheme equipped with elliptic curve cryptographic primitives. Their scheme achieves anonymity regardless of network infrastructure. Their scheme enables the server to provide various services for a client more than once with a negligible computational cost [10]. Idrissi proposed a security scheme for mobile agent based on two techniques: anonymous authentication and intrusion detection [11]. In the work of Xiong et al. [12], the anonymity is enabled, however the gateway has to store a lot of the identity and key pairs.
In some schemes, the gateway assigns a random number, and a unique key based on this number to the clients. This number is used as an indicator of the key, the user encrypts his identity with this key. Many other schemes use this way to protect the identity of the users, for example, the scheme in the works of [13][14][15][16][17][18]. Biometrics are used in the scheme of Wu et al. [19], Odelu et al. [20], Wang et al. [21] and Islam et al. [22]. Human beings' biometrics are extracted as random strings by using the fuzzy extractor.
The partial public key method is a popular method that has been used. He et al. proposed an efficient identity-based privacy-preserving authentication scheme for vehicular ad hoc networks [23], batch verification is used in this study. The concept of partial public key is also used in the scheme of Islam et al. [24]. In their scheme, a user register at the server several times, in order to get more than one authentication keys, then the user can use different keys for authentication to achieve anonymity. The scheme of Porambage et al. [25] also used the partial public key concept. Tsai et al. proposed a scheme for distributed mobile cloud computing services [26], the security strength of their scheme is based on bilinear pairing and dynamic nonce generation. There are other schemes that based on the elliptic curve security [27][28][29].

1.
A client is the one who wants to access the services provided by the server. A client first registers at the server, after the registration, he can conduct a mutual authentication with the server, after authentication, the two can build a shared key, the client can access to the server's service using this key.

2.
A server is the one that provides different kinds of services to the client. A server is also responsible for the registration and password modification for the client. Before the server provides a service to a client, the server has to make sure if the client is a registered one or not.

Structure of the Scheme
There are two types of entities in the scheme: remote clients and the server, which is shown in Figure 1.
1. A client is the one who wants to access the services provided by the server. A client first registers at the server, after the registration, he can conduct a mutual authentication with the server, after authentication, the two can build a shared key, the client can access to the server's service using this key. 2. A server is the one that provides different kinds of services to the client. A server is also responsible for the registration and password modification for the client. Before the server provides a service to a client, the server has to make sure if the client is a registered one or not. The proposed scheme is a mutual authentication scheme between the client and the server. The scheme consists of three phases: registration phase of the client, mutual authentication and key establishment phase and the phase for a client to change his password.

System Initialization
In the beginning, the server generates and publicizes the parameters of an elliptic curve, which is { , , , , , ℎ}. After that, generates its private key , and keeps it as a secret. The symbols that will be used in this study are summarized in Table 1.

Registration Phase
All the clients have to register at the server, a client with identity generates a registration request message, and sends this request to the server . When the server receives the message, server generates the keys for client , after that, the server sends these keys to the client . Table 2 is a description of the process. The proposed scheme is a mutual authentication scheme between the client and the server. The scheme consists of three phases: registration phase of the client, mutual authentication and key establishment phase and the phase for a client to change his password.

System Initialization
In the beginning, the server S generates and publicizes the parameters of an elliptic curve, which is {p, a, b, P, n, h}. After that, S generates its private key X GW N , and keeps it as a secret. The symbols that will be used in this study are summarized in Table 1.

Registration Phase
All the clients have to register at the server, a client C i with identity ID i generates a registration request message, and sends this request to the server S.

1.
Client C i chooses a random number r i .

2.
Client C i calculates a hash message MP i = h(r i ||ID i ||PW i ).

3.
Client C i sends {ID i , MP i } to the server.

1.
Server S calculates a hash message d i = h(ID i ||X GW N ).

2.
Server S calculates Server S chooses a random number k i .

4.
Server S calculates a hash message e i = h(k i ||X GW N ).

5.
Server S calculates h i = e i ⊕ MP i . 6.
Server S sends { f i , h i , k i } and other system parameters to the client C i . Table 2. Registration phase.

Client Server
incoming message, if the client verifies the message, he will build a shared key with the server. , and now client and the server can communicate using the shared key = , otherwise the scheme terminates here. 5. Client updates ℎ = ⊕ and = .
Now the client and the server have authenticated each other and built a shared key. The Table 3 below depicts the whole process.
Agree on the key =

Password Change Phase
When a client wants to change his password, he can send a request to the server , this request is sent in public channel. Table 4 is a description of this process.
, and now client and the server can communicate using the shared key = , otherwise the scheme terminates here. 5. Client updates ℎ = ⊕ and = .
Now the client and the server have authenticated each other and built a shared key. The Table 3 below depicts the whole process.
Agree on the key =

Password Change Phase
When a client wants to change his password, he can send a request to the server , this request is sent in public channel. Table 4 is a description of this process.
1. The client inserts his smart card into a card reader, inputs his identity and password and .
3. SC uses to get = ⊕ and = ℎ ⊕ . 4. SC gets the current timestamp and the random number .

Authentication Phase
If a client C i with identity ID i wants to ask a service from the server S, first, the two have to authenticate each other and build a shared key. The client C i inserts the smart card into a card reader, inputs his identity ID i and password PW i . The smart card (SC) prepares the following message and sends it to the server S.

1.
The client C i inserts its smart card into a card reader, inputs his identity ID i and password PW i .

2.
SC computes: SC gets the current timestamp T 1 and the random number k i .
SC gets the hash When the server S receives the incoming message, it first checks the correctness of the message, after the verification, the server will generate the shared key between himself and the client. Then the server prepares the message for sending back to the client.

1.
Server S checks the freshness of the T 1 , if T 1 is not fresh, server S abandons the incoming message, the scheme ends here.

2.
Server S calculates the key h( Server S checks if M 1 = h A 1 ID i k i d i T 1 , if they are equal, the server accepts the incoming message, otherwise, the scheme terminates here. 6.
Server S calculates a new random number k inew = h 1 (SK||T 1 ).  9. Server S calculates a hash message e inew = h(k inew ||X GW N ). 10 When client C i gets the message {B 2 , M 4 }, C i will do the following steps to authenticate the incoming message, if the client verifies the message, he will build a shared key with the server.

1.
Client C i computes the shared key as if they are equal, C i accepts the shared key SK , and now client C i and the server S can communicate using the shared key SK = SK , otherwise the scheme terminates here.

5.
Client Now the client C i and the server S have authenticated each other and built a shared key. The Table 3 below depicts the whole process.
When client gets the message{ , }, will do the following steps to authenticate the incoming message, if the client verifies the message, he will build a shared key with the server. , and now client and the server can communicate using the shared key = , otherwise the scheme terminates here. 5. Client updates ℎ = ⊕ and = .
Now the client and the server have authenticated each other and built a shared key. The Table 3 below depicts the whole process.
Agree on the key =

Password Change Phase
When a client wants to change his password, he can send a request to the server , this request is sent in public channel. Table 4 is a description of this process. 3. SC uses to get = ⊕ and = ℎ ⊕ .
Checks the freshness of T 1 When client gets the message{ , }, will do the following steps to authenticate the incoming message, if the client verifies the message, he will build a shared key with the server. Now the client and the server have authenticated each other and built a shared key. The Table 3 below depicts the whole process.
Agree on the key =

Password Change Phase
When a client wants to change his password, he can send a request to the server , this request is sent in public channel. Table 4 is a description of this process.
1. The client inserts his smart card into a card reader, inputs his identity and password and .

Password Change Phase
When a client C i wants to change his password, he can send a request to the server S, this request is sent in public channel. Table 4 is a description of this process.

1.
The client C i inserts his smart card into a card reader, inputs his identity and password ID i and PW i . 2.
SC computes: SC gets the current timestamp T 1 and the random number k i . 5.
SC gets the hash Finally, SC sends {k i , M 2 , T 1 } to the server S.
When client gets the message{ , }, will do the following steps to authenticate the incoming message, if the client verifies the message, he will build a shared key with the server. , and now client and the server can communicate using the shared key = , otherwise the scheme terminates here. 5. Client updates ℎ = ⊕ and = .
Now the client and the server have authenticated each other and built a shared key. The Table 3 below depicts the whole process.
Agree on the key =

Password Change Phase
When a client wants to change his password, he can send a request to the server , this request is sent in public channel. Table 4 is a description of this process.  When client gets the message{ , }, will do the following steps to authenticate the incoming message, if the client verifies the message, he will build a shared key with the server. , and now client and the server can communicate using the shared key = , otherwise the scheme terminates here. 5. Client updates ℎ = ⊕ and = .
Now the client and the server have authenticated each other and built a shared key. The Table 3 below depicts the whole process.
Agree on the key =

Password Change Phase
When a client wants to change his password, he can send a request to the server , this request is sent in public channel. Table 4 is a description of this process.
When the server S receives the message, server S will verify if the message is from a legitimate client, after that, the server S sends a replay to the client C i .

1.
Server S checks the freshness of the T 1 , if T 1 is not fresh, server S abandons the incoming message.

2.
Server S calculates the key h(k i ||X GW N ) based on k i .

3.
Server S uses the key h(k i ||X GW N ) to decrypt M 2 to get ID i M 1 , Server S calculates d i = h ID i X GW N based on the identity ID i .

5.
Server S checks if M 1 = h ID i ||k i ||d i T 1 , if they are equal, the server verifies the incoming message, otherwise, the scheme terminates here. When a client C i receives the replay message from the server S, the smart card checks the correctness of this message, if it is from the server S, then the smart card will allow the client C i to input his new password.

1.
SC checks if M 3 = h ID i ||d i ||k i T 1 , if they are equal, then the client is allowed to change his password.

2.
SC computes d i = f i ⊕ MP i using the stored f i and the old MP i .

3.
SC computes e i = h i ⊕ MP i using the stored h i and the old MP i 4.
Client C i inputs the new password PW * i .

5.
SC updates MP i to be SC uses this new MP * i to update the stored version of f i and h i to get

Security Analysis by AVISPA
Automated Validation of Internet Security Protocols and Applications (AVISPA) is "a push-button tool for the automated validation of Internet security-sensitive protocols and applications" [30]. To test security features of the scheme in this study, we write the scheme in a role-based language called High-Level Protocols Specification Language (HLPSL), which is used for describing protocols and specifying their intended security features. The HLPSL code is listed in Appendix A.
We run the security check by using the CL-based Model-Checker [31], and the checker of On-the-Fly Model-Checker (OFMC) [32,33]. The simulation result shown in Table 5 demonstrates that the proposed scheme is safe.

Security Analysis Using BAN Logic
We conducted a security analysis of the proposed scheme using Burrows-Abadi-Needham Logic (BAN logic) [34]. By using BAN logic, we can determine whether the exchanged information is trustworthy, secure against eavesdropping. For more information on the symbols and primary postulates of BAN logic, please refer to our previous work [35].

The Premise and Proof Goals
Suppose there are two entities in the system: client C i and the server S. Before we start the proof, we first translate the messages into an idealized form of BAN logic, the results are shown in Table 6. Table 6. The idealized form of the messages.

Message
Flow Idealized Form The goals in BAN Logic are described below. These goals can ensure C i and S to agree on a shared key SK.

Assumptions
We make some assumptions to help us to prove the protocol; assumptions are listed in Table 7. First, we show the proof of assumption A1 and A3.
According to (1) and the "promotion #" rule: 3. According to (2) and the "promotion #" rule: 4. According to (3) and the "elimination of multipart messages" rule: In this part, we show the proof of assumption A2 and A4. By checking the timestamp T 1 , the server S can judge if T 1 is fresh or not, if T 1 is not fresh, the server S will abandon the message and the scheme ends here. Thus, we only consider the situation that server S believes timestamp T 1 is fresh, which is S| ≡ #(T 1 ) .

5.
According to the "promotion #" rule: 6. According to (5) and the "elimination of multipart messages" rule: After registration, both server S and the client C i believe that they have a shared key d i . Translating into BAN Logic, we get assumptions A6: We can get assumptions has complete control over the data B 2 , assumption A8 says that server S believes client C i has complete control over the data A 1 .

The Proof of the Proposed Scheme
In this section, we start the proof. According to the message k i , A 1 , {A 1 , ID i , k i , T 1 } d i , T 1 , which the client C i sends to server S, we can get the followings:

Formal Security Analysis
Suppose G 1 is a cyclic additive group of prime order q, P is the generator of G 1 , the Elliptic Curve Computational Diffie-Hellman (ECCDH) problem is thought to be a computational hardness. The security of the shared key of the proposed scheme is based on the computational hardness of the ECCDH problem.
Definition 1. ECCDH problem. For any a, b, c ∈ Z * q , given an instance < aP, bP >, it is computationally intractable to compute cP = abP.

Theorem 1. The proposed scheme achieves shared key security if and only if the ECCDH problem is unable to be solved in polynomial time.
We define the shared key security as that an adversary is unable to get the shared key between the client C i and server S based on the messages transferred publicly between them.

Proof.
(⇒) Suppose there is an efficient algorithm O I which could break the ECCDH problem in probabilistic polynomial time. The adversary is able to get the messages publicly sent between the client C i and the server S: {k i , A 1 , M 2 , T 1 }, and {B 2 , M 4 }. Suppose a·P = A 1 = k 1 ·P and P = B 2 = k 2 ·P, adversary A I is able to get the cP = k 1 ·k 2 ·P by using efficient algorithm O I , the adversary is able to break the security of the shared key and get the shared key h(k 1 ·k 2 ·P ||T 1 ).
(⇐) Suppose there is an efficient algorithm O I I which could get the shared key between client C i and server S, as the hash operation is secure, the adversary has to get the shared key by calculating k 1 ·k 2 ·P. This means given A 1 = k 1 ·P and B 2 = k 2 ·P, an adversary A I I is able to get k 1 ·k 2 ·P. For the ECCDH problem, suppose a·P = A 1 = k 1 ·P and b·P = B 2 = k 2 ·P, the adversary is able to get c·P = a·b·P = k 1 ·k 2 ·P. This apparently contradicts the hardness of the ECCDH problem.

Proof.
The proof of perfect forward privacy is similar to Theorem 1. Even if the private key of the client is leaked to the adversary. What the adversary get is the same public information {k i , A 1 , M 2 , T 1 } and {B 2 , M 4 }. Thus it is unable to get the past session key, neither.

Comparison
In this section, we compared our scheme with related works in computation cost, computation at the registration phase and the authentication phase. The schemes are implemented in C++, the running codes have been upload to a public repository in the github.com [36]. The MIRACL C/C++ Library is used in this study [37], the library can be accessed at github.com [38]. The experiment is conducted in Visual Studio C++ 2017 on a 64-bits Windows 7 operating system, 3.5 GHz processor, 8 GB memory. The hash function is SHA-256, the symmetric encryption/decryption function is AES in MR_PCFB1 form, the 256-bit long key for symmetric encryption/decryption function is generated by SHA-256 hash operation. The Koblitz curve secp256k1 which is recommended by NIST is used in this study [39]. The parameters of this curve are listed in Appendix B. The code is compiled in x86 form, this simulation does not take into account the transmission of the data.

Computational Performance Analysis
First, we compared the computation costs of these schemes in the form of operation per phase, T H , T MUL , T ADD , T E/D are used for the computation cost for SHA-256 operation, element multiplication operation of G 1 , element addition operation of G 1 , and AES symmetric encryption/decryption operation. The results are listed at Table 8. As shown in the table, we can find that in all conditions, the computation cost of the proposed scheme is the minimal, as T MUL > T H and T E/D > T H . Thus, the proposed scheme has an advantage in the computation cost and energy consumption compared to related works. To test the analysis of the computation cost, we also simulated the schemes in the aforementioned environment respectively.

Reference Registration Phase Authentication Phase Password Change Phase
Tu et al. [3] 2T H + 1T MUL 10T H + 7T MUL + 1T ADD 6T H + 1T MUL + 4T E/D Chaudhry et al. [6] 5T H + 1T MUL 14T H + 6T MUL + 1T ADD -Wu et al. [19] 4T First, we run the registration phase of different schemes 5, 10, 15, 20 and 25 times separately. The computation times are shown in Figure 2. The horizontal axis represents the number of runs of the experiment, the vertical axis represents the time required for the experiment to run, and the unit is milliseconds. The computation cost of Wu et al. [19] and that of the proposed scheme are relatively smaller, while the scheme of Chaudhry et al. [6], and that of Tu et al. [3] cost more computation time. This is mainly because the proposed scheme and the scheme of Wu et al. [19] only need lightweight operations, SHA-256 hash operations and XOR operation, while for the scheme of Chaudhry et al. [6], and that of Tu et al. [3], symmetric encryption/decryption operations are required, these operations cost more computation time.

Reference Registration Phase Authentication Phase Password Change Phase
Tu et al. [3] 2TH + 1TMUL 10TH + 7TMUL + 1TADD 6 TH + 1TMUL + 4TE/D Chaudhry et al. [6] 5TH + 1TMUL 14TH + 6TMUL + 1TADD ---Wu et al. [19] 4TH 12TH + 4TMUL + 4TE/D 9 TH + 1TMUL + 2TE/D Our scheme 3TH 14TH + 4TMUL 9 TH First, we run the registration phase of different schemes 5, 10, 15, 20 and 25 times separately. The computation times are shown in Figure 2. The horizontal axis represents the number of runs of the experiment, the vertical axis represents the time required for the experiment to run, and the unit is milliseconds. The computation cost of Wu et al. [19] and that of the proposed scheme are relatively smaller, while the scheme of Chaudhry et al. [6], and that of Tu et al. [3] cost more computation time. This is mainly because the proposed scheme and the scheme of Wu et al. [19] only need lightweight operations, SHA-256 hash operations and XOR operation, while for the scheme of Chaudhry et al. [6], and that of Tu et al. [3], symmetric encryption/decryption operations are required, these operations cost more computation time. Second, we run the authentication and key establishment phase of different schemes 5, 10, 15, 20 and 25 times separately. The computation costs are shown in Figure 3. The horizontal axis represents the number of running the experiment, the vertical axis stands for the number of milliseconds to accomplish the experiment. The computation cost of Wu et al. [19] and that of the proposed scheme are relatively smaller, while the scheme of Chaudhry et al. [6], and the scheme of Tu et al. [3] cost more computation time. The computation cost of the proposed scheme is the minimal. Second, we run the authentication and key establishment phase of different schemes 5, 10, 15, 20 and 25 times separately. The computation costs are shown in Figure 3. The horizontal axis represents the number of running the experiment, the vertical axis stands for the number of milliseconds to accomplish the experiment. The computation cost of Wu et al. [19] and that of the proposed scheme are relatively smaller, while the scheme of Chaudhry et al. [6], and the scheme of Tu et al. [3] cost more computation time. The computation cost of the proposed scheme is the minimal.
Third, we run the password change phase 5, 10, 15, 20 and 25 times separately. The computation costs are shown in Figure 4. In this figure, the horizontal axis indicates the number of times the experiment was run; the vertical axis indicates the number of milliseconds to accomplish the experiment. The computation cost of the proposed is the minimal, the computation cost of Wu et al. [19], and that of Tu et al. [3] are much higher, this is because in the proposed scheme only SHA-256 hash operations and XOR operation are needed, while in the scheme of Wu et al. [19], and in the scheme of Tu et al. [3], symmetric encryption/decryption, and elliptic curve operation are needed, these operations cost more computation time. Third, we run the password change phase 5, 10, 15, 20 and 25 times separately. The computation costs are shown in Figure 4. In this figure, the horizontal axis indicates the number of times the experiment was run; the vertical axis indicates the number of milliseconds to accomplish the experiment. The computation cost of the proposed is the minimal, the computation cost of Wu et al. [19], and that of Tu et al. [3] are much higher, this is because in the proposed scheme only SHA-256 hash operations and XOR operation are needed, while in the scheme of Wu et al. [19], and in the scheme of Tu et al. [3], symmetric encryption/decryption, and elliptic curve operation are needed, these operations cost more computation time.

Communication Performance Analysis
In this part, we compared all the schemes in communication cost. We use the same criteria as that in the study of Jing et al. [8], the identity costs 2 bytes. The general hash operation in this study is SHA-256, the result of a hash operation is set to be 32 bytes. In this study, the random number is set to be 4 bytes, the timestamp is set to be 4 bytes. The element of the of the Koblitz curve secp256k1 is 64 bytes. The order | | of is 32 bytes long. At the registration phase, the client sends { , } to the server, is a result of hash, it is 32 bytes long. The length of this message is 2 + 32 = 34 byte. The server sends { , ℎ , }, is 32 byte  Third, we run the password change phase 5, 10, 15, 20 and 25 times separately. The computation costs are shown in Figure 4. In this figure, the horizontal axis indicates the number of times the experiment was run; the vertical axis indicates the number of milliseconds to accomplish the experiment. The computation cost of the proposed is the minimal, the computation cost of Wu et al. [19], and that of Tu et al. [3] are much higher, this is because in the proposed scheme only SHA-256 hash operations and XOR operation are needed, while in the scheme of Wu et al. [19], and in the scheme of Tu et al. [3], symmetric encryption/decryption, and elliptic curve operation are needed, these operations cost more computation time.

Communication Performance Analysis
In this part, we compared all the schemes in communication cost. We use the same criteria as that in the study of Jing et al. [8], the identity costs 2 bytes. The general hash operation in this study is SHA-256, the result of a hash operation is set to be 32 bytes. In this study, the random number is set to be 4 bytes, the timestamp is set to be 4 bytes. The element of the of the Koblitz curve secp256k1 is 64 bytes. The order | | of is 32 bytes long. At the registration phase, the client sends { , } to the server, is a result of hash, it is 32 bytes long. The length of this message is 2 + 32 = 34 byte. The server sends { , ℎ , }, is 32 byte

Communication Performance Analysis
In this part, we compared all the schemes in communication cost. We use the same criteria as that in the study of Jing et al. [8], the identity costs 2 bytes. The general hash operation in this study is SHA-256, the result of a hash operation is set to be 32 bytes. In this study, the random number is set to be 4 bytes, the timestamp is set to be 4 bytes. The element of the G 1 of the Koblitz curve secp256k1 is 64 bytes. The order |q| of G 1 is 32 bytes long. Table 9. Communication costs of different schemes.

Security Feature Analyses
In this section, we analyzed the security features of different schemes. At the end of this section, we concluded the results into a table.

Client Anonymity
Regarding client anonymity, in the proposed scheme, the identity of the user is encrypted by a shared key between the client and the server, the adversary is unable to find out the real identity of the client. In the scheme of Tu et al. [3], the identity of the user is transmitted transparently; the adversaries can get the identity easily. In the scheme of Chaudhry et al. [6] and Wu et al. [19], the identity is encrypted, too.

Perfect Forward Privacy
Perfect forward privacy means that even when an adversary gets the private key of the client or the server, it is unable to recover the past session key based on this private key and the publicly transmitted messages. As we have proved in Section 5, the proposed scheme gains perfect forward privacy.
Meanwhile, the scheme of Chaudhry et al. [6] cannot ensure perfect forward privacy, if the adversary gets the private key msk and the session related messages DID ua , EID ua , Q ua and T sb , H sb . The adversary is able to compute the past session key in the following manner:

Reply Attack
In the proposed scheme, there is a timestamp T 1 in the message {k i , A 1 , M 2 , T 1 }, and the timestamp T 1 is also concealed in the hash message M 1 = h A 1 D i k i d i T 1 . If an adversary sends a former message to the server, the server will abandon this message after checking the timestamp. However, if the adversary replaces the timestamp T 1 with a new one, the server can still find it out by checking the hash message M 1 = h A 1 D i k i d i T 1 . Thus, an adversary is unable to launch a replay attack. For the scheme of Chaudhry et al. [6], if an adversary sends a former message to the server, the server is unable to judge if the message is a previous one or not, therefore, their scheme is subjected to replay attack.

Offline Dictionary Attack
In the proposed scheme, if the adversary gets the message in the smartcard { f i , h i , k i , r i }. The adversary could conduct an offline dictionary attack in the following steps: 1.
The adversary insert the smart card into a card reader, inputs a random identity and password pair ID i and PW i .

2.
SC computes: SC gets the current timestamp T 1 , and gets k i .
SC gets the hash Finally, SC sends {k i , A 1 , M 2 , T 1 } to the server S. 9.
If the server sends back a replay message, the identity and password pair is correct, otherwise, go to step 1. Now, q send is used as the number of times an adversary can send a message to the server S in a time period, the server will set a limit on q send , if the q send exceeds this preset limit, The server will no longer process the incoming messages from this adversary, the adversary cannot continuing the dictionary attack in this time period. The |D id |, D pass are used as the dictionary size of the identity and the password. Thus the probability p adv that adversary correctly guesses the identity and password pair correctly is: p adv = q send |D id | * D pass Set |D id |, D pass to be large enough, the p adv will be a small value, the aforementioned analysis is based on the authentication phase, the attack on the password changing phase is the same.
Meanwhile, in the scheme of Chaudhry et al. [6], the adversary could conduct an offline dictionary attack in the following steps: 1.
The adversary inserts the smart card into a card reader, inputs a random identity and password pair ID i and PW i .

2.
The adversary waits for the computation of the smart card. 3.
If the smart card sends out a message, the identity and password pair is correct, otherwise, goes to step 1.
As there is not a limit, the adversary can try as many times as he wants, thus the adversary will finally get the correct identity and password pair. This also means our scheme can withstand the smart card lost attack, when the smart card is lost, the adversary cannot launch an offline dictionary attack to get the private key of the client.

Impersonation Attack
In the scheme of Tu et al. [3], an adversary can impersonate the server. Given the message a user sends to the server, {username, V, W}, an adversary can forge the following message, the user is unable to find out if this message is coming from an adversary or the server: Generate random numnber c, r ∈ Z n C = c·P, K = c·V However, in the proposed scheme, if an adversary wants to impersonate the server, it has to get d i = h ID i X GW N , the probablity that an adversary correctly guesses d i is p d i = 1/ |D id | * D X GW N , where D X GW N means the dictionary size of the server's private key.

Secret Information Leakage Problem
In the scheme of Tu et al. [3], if an adversary accidentally get the session ephemeral information b. The adversary is able to get the secret information h(username||s)·P in the following manner: h(username||s)·P = b −1 ·V With this secret information, the adversary can impersonate a legitimate client. However, in the proposed scheme, even the session ephemeral information is leaked, the adversary is unable to get the client's secret information.
Finally, we get Table 10, we find that the proposed scheme has more security features than the schemes in the related works.

Conclusions
In this study, an authentication and key establishment scheme between remote clients and a server is proposed. The proposed scheme has been verified by AVISPA and BAN Logic, the verification results show that the proposed scheme can withstand various attacks. The proposed scheme has been simulated in C++, by comparison, it shows clearly that the proposed scheme is more efficient compared to the related works regarding the computation cost and the communication cost. Besides, the proposed has more security features compared to the related works. Our work is part of the LifeWear project, in which we focus on the safety of data transmission and identity privacy problem.