A Multi-Server Two-Factor Authentication Scheme with Un-Traceability Using Elliptic Curve Cryptography

To provide secure communication, the authentication-and-key-agreement scheme plays a vital role in multi-server environments, Internet of Things (IoT), wireless sensor networks (WSNs), etc. This scheme enables users and servers to negotiate for a common session initiation key. Our proposal first analyzes Amin et al.’s authentication scheme based on RSA and proves that it cannot provide perfect forward secrecy and user un-traceability, and is susceptible to offline password guessing attack and key-compromise user impersonation attack. Secondly, we provide that Srinivas et al.’s multi-server authentication scheme is not secured against offline password guessing attack and key-compromise user impersonation attack, and is unable to ensure user un-traceability. To remedy such limitations and improve computational efficiency, we present a multi-server two-factor authentication scheme using elliptic curve cryptography (ECC). Subsequently, employing heuristic analysis and Burrows–Abadi–Needham logic (BAN-Logic) proof, it is proven that the presented scheme provides security against all known attacks, and in particular provides user un-traceability and perfect forward security. Finally, appropriate comparisons with prevalent works demonstrate the robustness and feasibility of the presented solution in multi-server environments.


Introduction
With the recent advancements in Internet and communication technology and the growing demand for sharing multiple data resources, secure and efficient communication between the involved stakeholders has become more essential in areas such as e-commerce, telecare medical information, distributed cloud storage systems, etc. Obviously, privacy protection has emerged as a vital issue for secure and trusted communication. For secure and effective communication over an insecure network, the involved parties are required to negotiate on a common session key beforehand. For such negotiations, authentication-and-key-agreement protocols serve as the only solution. The first password authentication with insecure communication was established by Lamport in 1981 [1]. Later, Frank et al. [2] presented an authentication protocol based on hypertext transport protocol in scheme fails to ensure user un-traceability, and is prone to key-compromise user impersonation attack and offline password guessing attack. (3) To overcome these limitations, we design a two-factor authentication-and-key-agreement scheme for multi-server architecture while incorporating ECC. (4) The presented scheme ensures perfect forward secrecy, user anonymity, and un-traceability. Moreover, it provides security against major attacks, including impersonation attack, offline password guessing attack, key-compromise user impersonation attack, etc. (5) The security analysis using Burrows-Abadi-Needham logic (BAN-Logic) provides that the proposed protocol ensures secured mutual authentication between a remote user and server.

Outline of This Paper
The remaining contents of the proposal are organized as follows: cryptographic primitive and attacker model are detailed in Section 2. The scheme of Amin et al., and its cryptanalysis are presented in Sections 3 and 4, respectively. Sections 5 and 6 provide the scheme of Srinivas et al., and its cryptanalysis, respectively. The improved version of the proposed scheme is provided in Section 7. The heuristic security analysis and BAN-Logic are presented in Sections 8 and 9, respectively. Section 10 details the security and performance comparisons. Finally, Section 11 contains the concluding remarks.

Preliminary
We take advantage of ECC to present a two-factor authentication scheme. The following section briefly introduces the collision-resistant cryptographic one-way hash function as well as some computationally infeasible problems, including the elliptic curve computational Diffie-Hellman Problem (ECCDHP) and the elliptic curve discrete-logarithm problem (ECDLP). Table 1 depicts some notations and descriptions that are used in the proposed scheme.

Intractable Problems in ECC
The elliptic curve equation over a finite field F p in ECC takes the form E p (a, b) : 1. ECDLP: The elliptic curve discrete-logarithm problem over elliptic curve E p (a, b) refers to computing m ∈ F * p from Q = mP for given P, Q ∈ E p (a, b).

ECCDHP:
The elliptic curve computational Diffie-Hellman problem over elliptic curve E p (a, b) refers to computing mnP, given points mP, nP ∈ E p (a, b).

Adversary Model
According to [18,[42][43][44][45][46][47], the capacities of A in authentication and key agreement schemes, which are used in cryptanalysis of Amin et al.'s scheme, Srinivas et al.'s scheme, and our proposed scheme, are listed as follows: 1. A is able to intercept, block, delete, modify, and resend the message contents through an open channel. 2. Because identity and password have low entropy, A can enlist all pairs of (Pw i , Id i ) simultaneously from (D Pw , D Id ) within polynomial time, where D Pw and D Id refer to the space of passwords and identities in D Pw and D Id , respectively. 3. A can either acquire Pw i of the U i via malicious device or reveal the information from SC, but is not permitted to use both methods together. 4. A can acquire a server's private key while evaluating forward secrecy or key-compromise user impersonation attack. 5. A has the ability to reveal all parameters of the smart card when assessing stolen smart-card attack, offline password guessing attack, impersonation attack, forward secrecy, etc.

Brief Review of Amin et al.'s Proposal
This section provides a brief review of Amin et al.'s [26] authentication scheme for Session Initiation Protocol (SIP). The scheme presented by the authors comprises four stages: initialization, registration, login and authentication, and password updation. We omit the description of the password updation stage.

Initialization
S takes two large primes p and q as secret parameters to calculate n = p × q as a public parameter. Afterwards, S chooses a prime e to obtain d by computing e × d ≡ 1 mod (p − 1)(q − 1), such that 1 < e < (p − 1)(q − 1).

U i enters an identity
After finishing this verification, S randomly selects a number and computes 3. Once receiving the response message from S, SC checks the validity of T s . After finishing the verification, SC checks whether N * 2 = N 1 ⊕ Z i , X * i = H(N * 2 ||CId i ) and verifies X * i =?X i . If it holds, U i accepts the response message. Finally, S and U i calculate the session key:

Limitations of Amin et al.'s Scheme
According to the adversary model presented in Section 2.3, in the following, we prove that Amin et al.'s scheme is unable to provide user un-traceability and perfect forward secrecy, and is prone to key-compromise user impersonation attack and offline password guessing attack.

User Un-Traceability
Observing the protocol of Amin et al., it can be found that Y i is transmitted during the login request message stage. However, Y i = CID i ⊕ h(PWr i ||ID i ) is a fixed value in SC, unless U i changes their password during the password updation stage. Usually, the user does not change their password after every session. Therefore, U i can be traced by the adversary using Y i . Hence, Amin et al.'s protocol does not ensure user un-traceability.

Offline Password Guessing Attack
Offline password guessing attack is the main limitation for most of the presented proposals addressing authentication. If A somehow steals the SC of U i and embeds the data {Reg i , Y i , r} in it, then the adversary A can perform the following steps to obtain Id i and Pw i of U i .
1. From the password dictionary space D PW , the adversary A randomly chooses the password PW * , and picks up the identity ID * from the identity dictionary space D ID .

A calculates PWr
To check the correctness of Pw * and Id * , A examines whether Reg * i = Reg i , where Reg i belongs to SC of U i . 6. If the aforementioned equality holds, A's guess results as successful. Otherwise, A repeats Steps 1-5 until it obtains the correct password and identity of U i .
From the aforementioned procedure, we find that the computational time complexity of offline password guessing attack is O(|D PW | * |D ID | * 3T h ), where |D Pw |, |D Id |, and T h refer to the number of D Pw , the number of D Id , and the performing time of hash function h(·), respectively. According to [48][49][50], usually, |D Id | < |D Pw | < 10 6 . Therefore, the aforementioned attack is very efficient. Hence, Amin et al.'s protocol is unable to resist offline password guessing attack. Actually, the verified data Reg i are stored in U i 's smart card, which is the main reason for the success of the above attack. By computing Reg i , the smart card is able to check the correct login of the legal user. Moreover, it also gives A the chance to guess password and identity. Since the identity and password have low entropy in such scenarios, A can guess them successfully within polynomial time.

Lacks of Perfect Forward Secrecy
Assume that the A obtains the long term private key d of S and eavesdrops the transmitted Having that information, A can easily calculate two key random numbers {N 1 , N 2 }. A undergoes the following procedure to compute SK between U i and S.

The adversary
The computational time overhead of the aforementioned attack is O(2T h + T e + T eor ), where T e and T eor are the running time of modular exponentiation and exclusive-or operation, respectively. Therefore, the protocol of Amin et al. does not ensure perfect forward secrecy. This problem can be solved by adding an operation of public key cryptography, which slightly increases the computation load. However, it is a feasible approach in terms of the trade-off between security and practicality.

Key-Compromise User Impersonation Attack
If the long-term private key d of S is revealed to the adversary A in Amin et al.'s protocol, A can impersonate the legitimate user U i to S as follows: , and subsequently calculates CId i = H(Id i ||d) and Upon receiving the forged message, obviously S can verify it successfully. Thus, S randomly provokes a number N 2 , and computes is the common session key between a legitimate user and itself. However, in actual terms, A acts as U i .
Therefore, Amin et al.'s protocol is unable to resist key-compromise user impersonation attack.

Review of Srinivas et al.'s Scheme
The following section reviews Srinivas et al.'s protocol [29] comprising four steps: initialization, registration, login and authentication, and password updation stage.

Initialization
The trusted registration center RC during this stage selects a 1024-bit large prime p, generates g ∈ Z * p , chooses a one-way hash function H(·) : {0, 1} * → Z * p , and randomly picks a number mk as the master secret key.

Server Registration
S j (1 ≤ j ≤ k) chooses a unique identity SId j and sends SId j to RC through a secure-medium. Upon receiving SId j , RC calculates r j = H(SId j ||mk), and sends {r j , p, g, H(·)} to S j through a secure medium.

User Registration
First, a new user U i selects Id i , Pw i , and randomly chooses a number r i . Subsequently, the user calculates

U i inserts SC i into a card reader and inputs
Afterwards, SC i randomly generates a number a, chooses the current time stamp T i , and calculates S j terminates the login request if the expression does not hold. Apart from that, S j a random number b and calculates . Subsequently, SC i checks R * j =?R j and terminates this login request if the expression does not hold. Otherwise, SC i calculates R i = H(U Id i ||X i ||Y j ||SK ij ||v ij ) and transmits it to S j through a public channel. 4. Upon acquiring R i , S j computes R * i = H(U Id i ||X i ||Y j ||SK ji ||H(r j ||U Id i )) and checks R * i =?R i . After successful accomplishment of all steps, S j and U i believe that they have the common session key SK ij = SK ji .

Password Updation Stage
After the authentication session between SC i and targeted server S j , U i inputs Id i , Pw i , and a new password Pw new . Subsequently,

Limitations of Srinivas et al.'s Protocol
According to the adversary model presented in Section 2.3, we present some possible attacks for Srinivas et al.'s protocol, including key-compromise user impersonation attack, offline password guessing attack, and lack of user un-traceability. The details are described in the following sections.

Offline Password Guessing Attack
Assume that A extracts the information {s i1 , s i2 , · · · , s ik , B i , p, g, H(·)} of SC i by side-channel attack. Now, A can execute the following steps to get the correct identity ID i and password PW i of user U i in polynomial time.
1. From the password dictionary space D PW , the adversary A chooses the password PW * , and picks up the identity Id * from the identity dictionary space D Id .
If it holds, then Pw * and Id * is the correct identity and password pair. Otherwise, A repeats Steps 1-6 until it obtains the correct identity and password of U i .
We determine the computational time complexity of the aforementioned attack algorithm. That is, where |D Pw |, |D Id |, and T h are the number of D Pw , the number of D Id , and the time to compute hash function h(·), respectively. According to [48][49][50], usually, |D Id | < |D Pw | < 10 6 . Therefore, the offline password guessing attack is very efficient. Thus, Srinivas et al.'s protocol is not resistant against offline password guessing attack.

Lack of User Un-Traceability
It can be observed from Srinivas et al.'s protocol that the attacker can get U Id i transmitted within the login request message. Since U Id i = H(Id i ||r i ) is a fixed value, where Id i and r i are invariable, unless the user U i changes their password during the password updation stage, any adversary can trace the user U i by using U Id i . Therefore, Srinivas et al.'s protocol cannot provide user un-traceability.

Key-Compromise User Impersonation Attack
If the long-term private key r j of S j is revealed to A in Srinivas et al.'s protocol, then A can adopt the following actions to impersonate the legitimate U i to S j .

1.
A intercepts the login request message {U Id i , X i , h ij , T i } of U i , and calculates v ij = H(r j ||U Id i ). 2. A randomly selects a number a to compute X i = g a mod p, h ij = H(v ij ||U Id i ||SId j ||X i ||T i ).
Afterwards, A sends the forged login request message {U Id i , X i , h ij , T i } to S j . 3. Obviously, the forged message can pass the verification of S j . Thus, S j randomly chooses a number b to compute Y j = g b mod p, z ji = (X i ) b mod p. Subsequently, S j chooses the current time stamp T j to compute SK ji = H(U Id i ||SId j ||T i ||h ij ||T j ||z ji ) and transmits it to S j through a public channel. 5. S j receives R i , computes R i = H(U Id i ||X i ||Y j ||SK ji ||H(r j ||U Id i )), and checks whether R i =?R i .
After finishing all steps successfully, S j believes that it holds the common session key SK ij = SK ji with U i . Actually, however, A plays as U i . Thus, A successfully impersonated U i to S j under the condition that the long-term private key of the server was leaked.
Therefore, Srinivas et al.'s protocol is prone to key-compromise user impersonation attack.

The Improved Scheme
The following section presents an improved mutual authentication protocol that gets motivation from Srinivas et al.'s [29] scheme to incorporate ECC. The presented solution not only remedies the limitations of Amin et al.'s [26] and Srinivas et al.'s [29] schemes, but also ensures mutual authentication and is resistant to many known attacks. The presented scheme comprises five stages: initialization, server registration, user registration, authentication-and-key-agreement, and password updating. The notations of the presented scheme are listed in Table 1. Figures 2-4 depict the registration and authentication process of the proposed protocol.
Registration Center (RC) Registration Phase: Inputs SId j SId j Q j = r j P and selects a random number c j ∈ Z * p Computes r j = H(SId j ||mk||s j ) r j , Q j , P, c j , H(·)

Secure Channel
Stores {r j , Q j , P, c j , H(·)} Generates s j ∈ Z * p Figure 2. Server registration.
Registration Phase: and selects a random number r i ∈ Z * p Chooses an integer 2 4 ≤ n0 ≤ 2 8 and generates a random number New smart card: Figure 3. User registration.
Login and Authentication Phase: The common session key: Inserts SC i and inputs Id i , P w i

Initialization
RC chooses an elliptic curve E p (a, b) from F p , where p is a 160-bit-long prime number. Afterwards, RC selects a fixed point P = ∞ ∈ E p (a, b), and one-way hash function H() : {0, 1} * → Z * p , and randomly picks a number as mk.

Server Registration
1. S j chooses an identity SId j and transmits it to RC via a secure-medium. 2. RC receives the registration message, randomly generates a number s j ∈ Z * p , and computes r j = H(SId j ||mk||s j ), Q j = r j P. Subsequently, RC randomly generates a number c j for S j . Finally, RC sends {r j , Q j , c j , P, H(·)} to S j through secure-medium. 3. S j stores {r j , Q j , c j , P, H(·)} in its database.

User Registration
After the successful registration of U i with RC, U i can communicate with any server S j (1 ≤ j ≤ k).
1. U i selects Id i , Pw i , and randomly generates a number r i ∈ Z * p to compute RPw i = H(Id i ||Pw i ||r i ). Afterwards, U i transmits the registration request message {Id i , RPw i } to RC through a secure medium. 2. Upon receiving the registration message, RC randomly generates numbers r s ∈ Z * p , 2 4 ≤ n 0 ≤ 2 8 , and computes the following: , n 0 , Q j , P, H(·)} into a new SC i . and sends it to U i through secure-medium. 3. U i stores r i in SC i .

Login and Mutual Authentication
U i initiates the login and authentication request for sending to S j by performing the following steps.
1. U i inserts SC i into a card reader and inputs Id i , Pw i . SC i computes RPw i = H(Id i ||Pw i ||r i ), and subsequently calculates A * i = H((H(Id i ) ⊕ RPw i ) mod n 0 ). Afterwards, SC i inspects the correctness of A * i while comparing it with the value of A i sorted in SC i . If A * i = A i , Id i and Pw i are validated. Otherwise, the session is expired. SC i continues to compute v ij = s ij ⊕ H(Id i ||RPw i ) and randomly selects a number a i ∈ Z * p to calculate the following: X i = a i P, X ij = a i Q j , In the case of invalidation, S j terminates the session and sets the counter N = 1. S j keeps suspending the card until U i registers again if N surpasses some threshold mark (e.g., 8). Otherwise, S j randomly selects a number b j to compute The session is aborted if these are not equal, . Otherwise, S j is authenticated by U i and U i accepts SK * ij . Afterwards, U i computes R i = H(v ij ||X i ||Y j ||SK * ij ||Id i ). Finally, U i transmits the challenge message R i to S j through an open channel. 4. Upon receiving the challenge message from U i , S j computes R * i = H(v ij ||X i ||Y j ||SK * ij ||Id i ) and verifies whether R * i ? = R i . If these are equal, then U i is authenticated successfully.
Finally, both U i and S j share the common session key SK = SK * ij = SK ij .

Password Updation
U i is able to change their password whenever they want, for which U i and SC i have to undergo the following procedure: 1. U i inserts the SC i into a card reader and inputs Id i , current password Pw i , and password to be updated Pw * i . 2. SC i computes RPw i = H(Id i ||Pw i ||r i ), and A i = H((H(Id i ) ⊕ RPw i ) mod n 0 ). Afterwards, SC i checks whether A i ? = A i . In case of inequality, SC i refuses U i to update the password. 3. Apart from that, SC i randomly selects a number r * i to compute (1) we employ "honey words" + "fuzzy-verifiers" to resist against offline password guessing attack [42]; (2) according to [47], to provide perfect forward secrecy, we use public key cryptosystems (e.g., ECC); (3) we store a secret parameter c j in the server database which cannot be compromised by the adversary in order to resist key-compromise user impersonation attack; and (4) to provide user un-traceability, we deploy a dynamic identity technique via a public key algorithm, that is, PId i .

Security Inspection
This section provides the details of how the presented protocol ensures the security against all known attacks, including key-compromise user impersonation attack and offline password guessing attack. Further, it also offers more comprehensive security features, in particular, user un-traceability and perfect forward secrecy under the capabilities of the adversary that were introduced in Section 2.3.

User Un-Traceability and Anonymity
During the login authentication stage, Id i is not sent through the public channel. Even if A intercepts the login request messages {PID i , X i , h ij } from the public channel, A still cannot extract Id i from PId i , because PId i is protected by H(X ij ) and is a dynamic identity. Thus, the proposed scheme provides the user un-traceability and anonymity.

Stolen Smart-Card Attack
In the proposed scheme, even if A steals SC i of U i , then A can extract the parameters {A i , r i , s ij (1 ≤ j ≤ k), n 0 , Q j , P, H(·)} stored in SC i utilizing power analysis technology, and captures the transmitted message over a public channel. However, as per the following details, A cannot execute any attack. Thus, the presented protocol is secured against stolen smart-card attack.

Offline Password Guessing Attack
Assuming that A steals SC i and extracts {A i , r i , s ij (1 ≤ j ≤ k), n 0 , Q j , P, H(·)} stored in it. A intercepts all messages {PId i , X i , h ij }, {Y j , R j }, {R i } over a public channel. If A guesses an ID Id i and a password Pw i , A can calculate RPw i = H(Id i ||Pw i ||r i ), and then figures out [42], A can obtain the reduced password guessing space of size |D| n 0 , where D is the space of passwords. Further, A can guess the correct password only by online password guessing. However, S j prevents this guessing by using a login request threshold value (e.g., 8). Once the number of online guesses exceeds the threshold value, S j will terminate communication and suspend SC i until U i registers again. Therefore, the presented scheme offers resistance against offline password guessing attack.

Privileged Insider Attack
If an internal attacker eavesdrops the registration information {Id i , RPw i } during user registration, A is unable to get Pw i , because it is secured by one-way hash function H(·) as well as with random number r i . Thus, the presented scheme is immune to the privileged insider attack.

Key-Compromise User Impersonation Attack
If the adversary steals the long-term private key of the server, it is still unable to impersonate the user to the server. This kind of attack is referred to as a key-compromise user impersonation attack. In the presented protocol, even if r j of S j is revealed to A, still A cannot determine v ij = H(r j ||Id i ||c j ), because A is unable to obtain the random number c j . Therefore, A cannot forge the login request message {h ij }, and therefore cannot be authenticated by S j . That is, A cannot impersonate U i . Thus, the presented protocol is insusceptible to key-compromise user impersonation attack. Further, it implies that the presented scheme ensures resistance against user impersonation attack.

Server Impersonation Attack
A intercepts the response message {Y j , R j } if A tries to make a server impersonation attack. A randomly generates a number b j to compute Y j = b j P, z ij = b j X i . Afterwards, A tries to compute SK ij and R j . Since A does not know v ij and X * ij computed by the secret key {r j , c j } of S j , A is unable to calculate SK ij and cannot forge R j . Thus, A cannot carry out the server impersonation attack.

Replay Attack
If A intercepts the login message {PId i , X i , h ij } from U i , and wants to replay this message to S j . This replay attack is easily captured by inspecting the freshness of X i in the presented scheme, where X i = a i P, and a i is a random number. Similarly, replaying the challenging message and response message is detected by either U i or S j . Thereupon, it is inferred that the presented protocol is immune to replay attack.

Known Key Security
Suppose that A compromises the previous session key SK ij = H(Id i ||SId j ||v ij ||z ij ||X ij ) between U i and S j . However, the next session key SK ij will be computed by new random numbers a i and b j . That is, SK ij = H(Id i ||SId j ||v ij ||z ij ||X ij ). To calculate the new session key, A has to compute a i , b j , a i b j P, a i Y j , b j X i from X i , Y j . However, this is computationally infeasible for A because of ECDLP and ECCDHP. Therefore, the presented scheme offers known key security.

Mutual Authentication
In the proposed scheme, only the legitimate h ij and R i can be verified by S j , and only the legitimate R j can be verified as the user U i . That is, the proposed scheme allows S j and U j to authenticate each other. Thus, the presented protocol ensures mutual authentication between a legitimate U i and S j .

Man-in-the-Middle Attack
It is impossible for A in the proposed scheme to compute the correct login request and challenge message. Therefore, A cannot be authenticated by the server. Moreover, A is unable to calculate the correct response message, and thus A cannot pass the user verification. It is therefore inferred that the proposed scheme is immune to man-in-the-middle attack.

Denial-of-Service Attack
If U i wants the login authentication in the proposed scheme, it must input the correct Id i and Pw i to pass the verification of SC. If A inputs wrong Id i and Pw i into SC, A is unable to compute the correct login request message. Moreover, if U i wants to update the password, it has to pass the verification of SC. An incorrect or previous password cannot pass the verification. Therefore, the proposed scheme ensures resistance against denial-of-service attack.

Perfect Forward Secrecy
Suppose that r j of S j is compromised and A acquires r i , Id i , and Pw i . To calculate the correct SK ij = H(Id i ||SId j ||v ij ||z ij ||X ij ), A is required to calculate z ij , X ij . However, it is impossible for A to compute z ij , X ij because of ECDLP and ECCDHP. Thus, A is not capable of figuring out SK ij . Therefore, the presented protocol ensures perfect forward secrecy.

BAN-Logic Proof
BAN is a logic of belief. The intended use of BAN is to analyze authentication protocols by deriving the beliefs that honest principals correctly executing a protocol can come to as a result of the protocol execution. For example, a user might come to believe that a session key they have negotiated with a server is a good key for a future session [51]. This section incorporates the BAN-Logic [52] to prove the session key agreement between user U i and server S j after the execution of the improved scheme. BAN-Logic notations and Basic BAN-Logic postulates are described in Tables 2 and 3. Table 2. Burrows-Abadi-Needham logic (BAN-Logic) notations.

Symbol Description
←→ B A and B utilize shared key K for communication (X, Y) K use K as key to compute hash values of X and Y < X > K X is exclusive or-ed with K

Idealized Scheme
The ideal form of the presented protocol is derived as follows:

Security Objectives
We prove that the improved scheme can satisfy the following objective:

Initiative Premises
For the initial status of the proposed scheme, the following assumptions are made.

Proof Procedure
The main proof steps of the proposed scheme are presented below.
Step 1. From Message 2, it shows the following: Step 2. From Step 1, IP 5, and the message-meaning rule, it illustrates the following: Step 3. From IP 1 and the freshness conjuncatenation rule, the following can be inferred: Step 4. From Steps 2 and 3, the freshness rule, and the nonce verification rule, we obtain the following: Step 5. From Step 4 and the believe rule, we deduce the first objective as follows: Step 6. From Objective 1, IP 7, and the jurisdiction rule, we accomplish the second objective as follows: Step 7. From Message 1, it indicates the following: Step 8. From Step 7, IP 6, and the message meaning rule, the following can be inferred: Step 9. From IP 2 and the freshness conjuncatenation rule,the following can be obtained: Step 10. From Steps 8 and 9, the freshness rule, and the nonce-verification rule, we determine the following: Step 11. From Step 10 and the believe rule, the third objective can be achieved as follows: Step 12. From Objective 3, IP 8, and the jurisdiction rule, the fourth objective is accomplished as follows: By accomplishing Objectives 1-4, both U i and S j believe that the SK is settled between them. Therefore, the proposed scheme ensures mutual authentication along with key agreement.

Performance Comparison
This section analyzes the computational and security performance of the presented scheme while comparing it with multiple schemes, including those of Awasthi et al. [23], Huang et al. [25], Amin et al. [26], Pippal et al. [27], Li et al. [28], and Srinivas et al. [29]. The exclusive-OR operation and string concatenation are usually neglected when comparing the computational cost. However, the following operations are considered: T me , the execution time of point multiplication operation; T e , the time for execution of modular exponentiation operation; T h , the running time of a hash operation; and T mm , the running time for modular multiplication operation. More precisely, we compare the experimental results of the aforementioned operations as performed by [53,54], where T e , T me , T h , and T mm take 3.85 ms, 2.226 ms, 0.0023 ms, and 0.001855 ms, respectively (Table 4). Following [53,54], the aforementioned operations were executed on a computing platform having Intel Pentium Dual Core E2200 2.20 GHz processor, the Ubuntu 12.04.1 LTS 32-bits operating system, and 2048 MB of RAM. In Table 5, we compare the schemes of [23,[25][26][27][28][29] with the presented protocol in terms of security. In Table 5, we observe that [23,[25][26][27][28][29] cannot provide [C 1 − C 3 , C 5 ] features. The scheme in [26] is still unable to provide perfect forward secrecy [C 12 ], although the authors used RSA-based public cryptography. The proposed scheme fulfills all known security features [C 1 − C 12 ]. Thus, the presented scheme surpasses [23,[25][26][27][28][29] in terms of security. Table 6 presents the computational cost of the schemes [23,[25][26][27][28][29] and the proposed scheme for login and authentication. The computational cost of the proposed protocol is comparatively lower than the schemes in [23,25,[27][28][29], but slightly higher than the scheme in [26]. However, according to Table 5, the scheme in [26] cannot address [C 1 − C 3 , C 5 , C 12 ] security features. Thus, combining Tables 5 and 6, we remark that the presented solution is more feasible for practical multi-server environments in terms of the trade-off between usability and security. Table 6. Comparison of computational complexity.

Conclusions
This paper first analyzes Amin et al.'s [26] scheme and proves that the considered scheme cannot provide perfect forward secrecy and user un-traceability, and is susceptible to offline password guessing attack and key-compromise user impersonation attack. Second, we review Srinivas et al.'s [29] multi-server authentication scheme while proving that it cannot resist offline password guessing attack and key-compromise user impersonation attack, and is unable to ensure user un-traceability. Afterwards, to address the limitations of prevalent works, we put forward an enhanced multi-server two-factor authentication scheme. Heuristic analysis and BAN-Logic proof ensure that the presented scheme includes various known security features. The security and efficiency analyses display the robustness and efficiency of the presented scheme. Overall, the presented scheme is proven to be more feasible for multi-server authentication-and-key-agreement scenarios in various low-power networks. Moreover, the design and analysis methods in this paper can also be used for authentication protocols in IoT, WSNs, etc.