Offline User Authentication Ensuring Non-Repudiation and Anonymity

User authentication is the key to ensuring that only authorized users can deal with specific affairs and access services. Applications or systems possessing different properties or requirements need different authentication schemes. For example, some institutions or companies need executives to manage or inspect their corresponding departments while the inspected department should not know who the executives are but only can verify their legitimacy. This paper designs a non-repudiation and anonymity-ensured user authentication system to meet the mentioned special requirements. We also propose a user authentication scheme to ensure that the designed system can work as claimed. In the system, a department is equipped with an authentication device, namely the department authentication device, to authenticate an executive while the executive’s identity is not revealed to the department and only the department’s authentication device can identify the executive for non-repudiation. An executive is equipped with an authentication device to have himself/herself authenticated by the department’s authentication device. Moreover, authentication data stored in an executive’s authentication device does not need to be updated even when management personnel changes are made.


Introduction
The purpose of user authentication is to verify that a user is indeed the claimed one. That is, it must be able to identify a user uniquely, and there must exist a way to unambiguously verify the legitimacy of the user. In our daily life, user authentication is common. For example, when a user wants to open a savings account, he/she needs to provide his/her identity card, health insurance card, or driving license to prove who he/she is. Additionally, a user authentication system ensures that only authorized users can deal with specific affairs and access services. This property makes user authentication essential because institutions, companies, or organizations need to protect their resources and ensure that only legal staff or members can deal with specific affairs or access required services.
Factors for user authentication can be classified into three types: something held, something embodied, and something known. Something held can be a barcode, a QR code, a magnetic card, an IC card, a smart card, or any physical object possessed by a user. Something embodied can be divided into three categories. First, it can be any biological feature, such as a user's DNA or blood. Second, it can be a user's morphological features, such as fingerprints, hand geometry, or iris patterns. Third, it can be behavioral characteristics of a user such as how the user speaks, walks, or types on a keyboard. Something known means the specific knowledge only known by the user, such as a password or PIN. In some applications, the system issues a user a mobile device or smart card that can store parameters and compute required parameters. When the user wants to access the system, he/she needs to use the issued mobile device or smart card to prove his/her legality to the system. Some authentication schemes adopting mobile devices or smart cards to enhance security have been proposed [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19].
Applications or systems possessing different properties or requirements need different authentication schemes. For example, some institutions or companies need executives to manage or inspect their corresponding departments while the inspected department should not know who the executives are but only can verify their legitimacy. On the other hand, some users care about personal privacy such that they do not want to be traced. In such cases, anonymity needs to be ensured. In conventional authentication schemes, a user's identity will be adopted to identify the user. However, this approach means these authentication schemes lack anonymity. Different from conventional authentication schemes, anonymity-ensured authentication schemes allow a user to be authenticated without revealing his/her real identity. The most significant advantage of these anonymous authentication schemes is to protect the user's identity and prevent other users from tracking and identifying a specific user. To comply with this special requirement, several schemes ensuring anonymity have been proposed [5][6][7][8][9][10][11][12][13][14][15][16][17][18][19].
On the other hand, non-repudiation is another important security requirement in many applications. It denotes that a user cannot deny what he/she has done. To ensure non-repudiation, special mechanisms are required such as digital signatures and receipts of mail. For institutions and companies, non-repudiation is especially essential to authority and responsibility. Company management personnel, such as supervisors, executives, and managers, need to manage or inspect different departments from time to time. Without proper authentication mechanisms, it is impossible for departments to verify the legitimacy of management personnel.
A company may be composed of multiple departments. When the company produces products by itself, it needs a factory. To reduce costs, the factory is usually located far away from the city or on the city's outskirts. Due to the remote location, accessing networks may be difficult. Actually, plenty of authentication schemes need networks involved to transmit information for authentication. Some offline authentication schemes [20][21][22] were proposed to meet the requirements of specific applications.
Furthermore, online authentication schemes may not work under some specific situations. Firstly, even when networks are available, it is still hard to access them in some places such as the basement. Secondly, the failure of networks or the backend authentication server comes into play. Moreover, online authentication schemes need to transmit data to the remote authentication server. This approach raises the threat of various attacks.
Taking the above into consideration, to allow an executive to be authenticated by departments anonymously and offline while non-repudiation is ensured, we design an offline non-repudiation and anonymity-ensured user authentication system and propose an authentication scheme. In the system, every authorized executive will use his/her authentication device to help himself/herself to be authenticated by the department. To ensure anonymity, the department cannot authenticate the executive directly. Alternatively, the department will be issued a department authentication device. The department authentication device works as TPM (Trusted Platform Module). That is, it will tell the department whether the executive is legal instead of who the executive is. Meanwhile, who the executive is can be checked by the department authentication device such that non-repudiation can be ensured. If the executive is successfully authenticated by the department authentication device, he/she can deal with specific affairs. In the designed scheme, data will be transmitted between the executive's authentication device and department's authentication device. To protect anonymity, no one can reveal who the executive is by the transmitted data.
On the other hand, management personnel may change in the real world. For example, executive A who was originally assigned to manage department a is assigned to manage department b. In such a case, executive A is still a legal executive, and only his/her assignment changes. If any change of management personnel results in a significant change in all involved executives' authentication data, this is cumbersome and annoying. In our designed user authentication scheme, authentication data stored in an executive's authentication device does not need to be updated even when management personnel changes are made. To sum up, the proposed offline non-repudiation and anonymityensured authentication system needs to possess the following properties to comply with the desired requirements: 1.
The legitimacy of a user can be verified offline.

2.
Data transmitted between the department's authentication device and the executive's or system administrator's authentication device must be protected.

5.
Management can be done easily because authentication data stored in the executive's authentication device does not need to be updated even when personnel changes are made.
The security of the proposed user authentication scheme is based on the factorization problem and discrete logarithm problem. In the designed system, a smartphone can be utilized as the executive's authentication device and system administrator's authentication device. This allows each party to store his/her personal authentication data privately. Although the proposed user authentication scheme is designed to help an executive be authenticated by the department authentication device, it can also be utilized for access control of small-sized enterprises/facilities/apartment complexes where workers/members/residents instead of executives are authenticated.
In the following, three examples are given to show what applications can adopt our proposed system.

Example 1.
Alice is the company's owner. Because there is only sufficient space to accommodate production demand in remote areas, factories of Alice's company are located in remote areas. However, the network infrastructure in remote areas cannot comply with the requirements of real-time applications due to the limited transmission speed. That results in infeasible transmission delays and timeout events when authentication is proceeding. Moreover, employees in Alice's factories may not know who the owner of factories is. Therefore, our proposed system can be utilized to have Alice successfully authenticated by her employees without the help of an authentication server and eliminate latent management threats. Example 2. Alice found out that the production output was less than ideal. She suspected that her employees did not use the manufacturing equipment properly, so she decided to personally inspect the job performance of her employees and equipment usage. Because she wants to inspect incognito, she can utilize our proposed system to allow these employees to ensure that Alice is authorized while her employees are unaware of who the inspector is.

Example 3.
Alice is the company's owner and authorizes Eve to be an executive of factories. Unfortunately, Alice finds out that Eve does not work appropriately such that serious problems occur. Therefore, Alice wants to replace Eve with Bob. With our proposed system, Alice can easily revoke and delegate authorization.
The rest of this paper is organized as follows. Preliminaries are introduced in Section 2. The architecture of the designed system is given in Section 3. The proposed user authentication scheme is shown in Section 4. Section 5 shows our property analysis and further security analysis, and demonstrates that the proposed scheme meets the requirements. The performance evaluation and further discussion are shown in Section 6. Finally, some conclusions are drawn in Section 7.

Preliminaries
To meet the specific properties of the proposed user authentication system, we designed the corresponding user authentication scheme whose security is based on the difficulties of solving the factoring problem and discrete logarithm problem. Two representative public-key cryptosystems, the RSA cryptosystem [23] and ElGamal cryptosystem [24], whose security are based on the difficulties of solving the factoring problem and discrete logarithm problem, respectively, are introduced.

RSA Cryptosystem
The RSA cryptosystem [23] proposed in 1978 was the first public-key cryptosystem. The security of the RSA cryptosystem is based on the difficulty of solving the factoring problem. The RSA cryptosystem possesses functions, encryption and decryption, and it can be used to generate a digital signature. The details are as follows: Suppose there is a user U 1 . U 1 must do the following to initialize the system.
Step 1: Choose two different large prime numbers, p and q, and compute n = p × q.
Step 4: Keep d as his/her private key and make the corresponding public key (e, n) public.
When another user U 2 wants to send a message m to U 1 securely and only U 1 can get m, U 2 computes the ciphertext C = m e mod n with U 1 's public key (e, n) for encryption and sends C to U 1 . After receiving C, U 1 uses his/her private key d to compute m = C d mod n for decryption.
On the other hand, when U 1 wants to generate a digital signature S for a message m, U 1 uses his/her private key d to compute S = m d mod n. Then, when another user U 2 gets m and S and wants to verify the digital signature, U 2 uses U 1 's public key (e, n) to compute m = S e mod n and checks if m and m are equal. If it holds, the signature S for m is verified, and U 2 believes that S is generated by U 1 .

ElGamal Cryptosystem
The ElGamal cryptosystem [24] proposed in 1985 is another representative public-key cryptosystem, and its security is based on the difficulty of solving the discrete logarithm problem. The ElGamal cryptosystem possesses functions, encryption and decryption, and it can be used to generate a digital signature. To initialize the system, the following will be executed at first.
Step 1: A large prime number p and a generator g of GF(p) are chosen.
Step 2: For each user, an integer x in [1, p − 1] is chosen as the user's private key, and the corresponding public key y is computed, where y = g x mod p.
Suppose there is a user U 1 , where U 1 's private key is x and U 1 's public key is y = g x mod p. Then, when another user U 2 wants to send a message m to U 1 securely, and only U 1 can get m, U 2 needs to execute the following steps.
Step 2: Compute b = g r mod p and c = m × y r mod p.
Step 3: Send the ciphertext (b, c) to U 1 .
After U 1 receives the ciphertext (b, c), U 1 computes m = c × (b x ) −1 mod p for decryption. On the other hand, when U 1 wants to generate a digital signature S for a message m, U 1 chooses a random number k in [1, p − 2] such that gcd(k, p − 1) = 1. Then, U 1 computes r = g k mod p and s, where m = (xr + ks) mod (p − 1). (r, s) is the digital signature of m. When another user U 2 gets m and (r, s) and wants to verify the digital signature, U 2 checks whether g m mod p and y r r s mod p are equal or not. If they are equal, the signature (r, s) for m is successfully verified, and U 2 believes that (r, s) is generated by U 1 .

The Architecture of the Designed Offline Non-Repudiation and Anonymity-Ensured User Authentication System
In the designed offline non-repudiation and anonymity-ensured user authentication system, there exist four entities: management server, system administrator's authentica- tion device, executive's authentication device, and department's authentication device, as shown in Figure 1. There is only one management server and only one system administrator in the system, and the system administrator is equipped with a system administrator's authentication device. The numbers of executives and departments depend on the actual requirements. Each executive is equipped with an executive's authentication device, and each department is equipped with an authentication device, namely a department authentication device. The detailed functions of these four entities are shown in the following.

1.
Functions of the management server (a) Manage all authorization information, including information about various departments and the related authorized management personnel.
Generate all required parameters for authorization and authentication. (c) Store the authentication data in the system administrator's authentication device and executive's authentication device through a secure channel when the system is initialized.
Generate new authentication data and store it in the system administrator's authentication device through a secure channel because of the change of authorized management personnel. Update the authentication parameters on the department's authentication device through a public channel when authorized management personnel of this department changes.

3.
The executive's authentication device (a) Generate a nonce and send the authentication request to the department's authentication device for authentication.
Verify the legitimacy of the department's authentication device by the response of the department's authentication device. (c) Compute the authentication parameters for the department's authentication device to allow the department's authentication device to verify the legitimacy and ensure non-repudiation of the executive.

4.
The department's authentication device (a) Verify the legitimacy of the system administrator's authentication device before the stored authentication data is set or updated.
Generate a nonce and send it back to the executive's authentication device after getting the authentication request from the administrator's authentication device. (c) Verify the legitimacy and ensure non-repudiation of the executive after receiving the authentication parameters generated by the executive's authentication device.

The User Authentication Scheme for the Designed Offline Non-Repudiation and Anonymity-Ensured User Authentication System
To ensure that the designed offline non-repudiation and anonymity-ensured user authentication system can meet the specific requirements, the proposed user authentication scheme needs to comply with the following: 1. The legitimacy of a user can be verified offline. 2. Data transmitted between the department's authentication device and the executive's or system administrator's authentication device must be protected.

The User Authentication Scheme for the Designed Offline Non-Repudiation and Anonymity-Ensured User Authentication System
To ensure that the designed offline non-repudiation and anonymity-ensured user authentication system can meet the specific requirements, the proposed user authentication scheme needs to comply with the following: 1.
The legitimacy of a user can be verified offline.

2.
Data transmitted between the department's authentication device and the executive's or system administrator's authentication device must be protected.

5.
Management can be easily conducted because authentication data stored in the executive's authentication device does not need to be updated even when personnel changes are made.
The proposed user authentication scheme is composed of four phases: initialization phase, department authentication device setup phase, authentication phase, and authentication data update phase. The notations used in the designed authentication scheme are defined in Table 1. Table 1. Notations used in the proposed user authentication scheme.

Notation Definitions
Server Management server Master 1 , Master 2 Server's secret keys for generating essential parameters for authentication devices

MS
System secret key for checking the integrity of the transmitted data and generating session keys to protect the transmitted data SA System administrator H SA SA's authentication device m The total amount of executives of management personnel in the system A i The ith executive Set 1 The set of executives in the system, where The total amount of departments in the system C j The jth department Set 2 The set of departments in the system, where One-way hash function, where H: {0, 1}* → {0, 1} l and l is the length of its output p, q Two large prime integers chosen by Server and secretly kept by Server, where p > 1 l n System public parameter, where n = p × q g The primitive root modulo n || Concatenation operator ⊕ XOR operator

Initialization Phase
In the initialization phase, the management server Server first determines Set 1 and Set 2 . Then, Server initializes a department C j 's department authentication device D j . Server computes G j = H(ID D j ||Master 2 ) and stores {H(.), n, g, MS, ID D j , G j } in D j . Then, C j is equipped with D j .
After confirming the corresponding executives of all departments, Server computes the authentication data for all executives of Set 1 and departments of Set 2 , stores personal authentication data of the executive A i in his/her authentication device H A i , and stores department authentication data in SA's authentication device H SA . In the initialization phase, data is transmitted through a secure channel. The initialization phase is depicted in Figures 2 and 3, and the details are as follows: Step 1: The management server Server computes K i = H(ID A i ||Master 1 ) for the executive A i , where I = 1, 2, . . . , m.
Step 2: Server selects e i for A i and then computes d i such that d i × e i ≡ 1 (mod φ(n)), where gcd(e i , φ(n)) = 1 and e r = e α when r = α.
Step 3: Server computes SK i = g d i mod n for A i .
Step 4: Server stores H(.), n, g, MS, SK i , ID A i and K i in A i 's authentication device H A i .
Step 5: Server randomly generates a dedicated authentication code S j for C j 's department authentication device D j , where S j < n and j = 1, 2, . . . , w.

Department Authentication Device Setup Phase
This phase will be executed when the system administrator SA wants to initialize or update the authentication data in Cj's department authentication device Dj. Data is transmitted through a public channel in this phase. The department authentication device setup phase is depicted in Figure 4, and the details are as follows: Step 8: Server stores H(.), n, g, MS, and Sj in the system administrator SA's authentication device HSA, where j = 1, 2, …, w.

Department Authentication Device Setup Phase
This phase will be executed when the system administrator SA wants to initialize or update the authentication data in Cj's department authentication device Dj. Data is transmitted through a public channel in this phase. The department authentication device setup phase is depicted in Figure 4, and the details are as follows:

Department Authentication Device Setup Phase
This phase will be executed when the system administrator SA wants to initialize or update the authentication data in C j 's department authentication device D j . Data is transmitted through a public channel in this phase. The department authentication device setup phase is depicted in Figure 4, and the details are as follows: Step 1: H SA generates a random number R 1 and sends R 1 with a setup request to D j .
Step 2: When D j receives R 1 and a setup request from H SA , D j generates a random number R 2 . Then, D j sends R 2 back to H SA .
Step 6: If veri2 is equal to veri2, the authentication data of D j is initialized or updated Sensors 2022, 22, 9673 9 of 22 Step 4: HSA sends veri1, veri2, and cparas to Dj.
Step 5: After receiving veri1, veri2, and cparas, Dj first uses ID D j and Gj to compute Step 6: If veri2′ is equal to veri2, the authentication data of Dj is initialized or updated with Sj,

Authentication Phase
When the executive Ai wants to deal with the management of Cj or inspect Cj, he/she needs to be authenticated by Cj's department authentication device Dj with his/her authentication device H A i . In the authentication phase, Ai can be authenticated by Dj with the help of H A i while Cj cannot know who Ai is, and data is transmitted through a public channel. The authentication phase is depicted in Figure 5, and the details are as follows: Step 1: H A i generates a random number R1 and sends R1 with an authentication request to Dj.
Step 2: When Dj receives R1 and the authentication request from

Authentication Phase
When the executive A i wants to deal with the management of C j or inspect C j , he/she needs to be authenticated by C j 's department authentication device D j with his/her authentication device H A i . In the authentication phase, A i can be authenticated by D j with the help of H A i while C j cannot know who A i is, and data is transmitted through a public channel. The authentication phase is depicted in Figure 5, and the details are as follows: Step 1: H A i generates a random number R 1 and sends R 1 with an authentication request to D j .
Step 4: D j sends R 2 , PID, cshares, and check to H A i .
Step 6: H A i uses (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j ) and (ID A i , K i ) to set the Step 7: H A i computes ID D j = TMS ⊕ PID and check = H(R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j ) and checks whether check and check are equal or not. If it holds, it denotes that D j is indeed a legal department authentication device, D j 's identity is indeed ID D j , and the derived S j is correct.
Step 8: Then, H A i sends σ 1 and σ 2 to D j .
Step 10: D j checks whether g H(ID A i ||R 1 ||R 2 ||S j ) mod n and σ e i 2 mod n are equal or not. If they are equal, it denotes that A i is a legal executive, and A i 's identity is ID A i . That is, A i is authenticated by D j with H A i 's help, and he/she can then deal with the management of C j or inspect C j . Step 6: H A i uses (rj,1′, Sharej,1′), (rj,2′, Sharej,2′), …, (r j,t j ', Share j,t j ') and (ID A i , Ki) to set Step 7: H A i computes ID D j ′ = TMS'⊕PID and check' = H(R1||R2||(rj,1′, Sharej,1′)||(rj,2′, Sharej,2′)||…||(r j,t j ', Share j,t j ')||MS||ID D j '||Sj') and checks whether check' and check are equal or not. If it holds, it denotes that Dj is indeed a legal department authentication device, Dj's identity is indeed ID D j , and the derived Sj' is correct.
Step 8: Then, H A i sends σ1 and σ2 to Dj.
Step 9: After receiving σ1 and σ2, Dj computes ID A i ′=H(R1||R2||Sj)⊕σ1. Then, Dj uses ID A i ′ as the index to find the matched (H( Step 10: Dj checks whether g H(ID A i '||R 1 ||R 2 ||S j ) mod n and σ e i mod n are equal or not.
If they are equal, it denotes that Ai is a legal executive, and Ai's identity is ID A i ′. That is, Ai is authenticated by Dj with H A i 's help, and he/she can then deal with the management of Cj or inspect Cj.

Authentication Data Update Phase
When the authorized management personnel of a department changes, the authentication data update phase will be executed. If a new executive joins, this phase will be executed from Step 1. If the changes do not result in the joining of a new executive, this phase will be executed from Step 5. The management server Server computes the updated authentication data for the authentication devices of all departments that are influenced by the changes. Thereupon, the system administrator SA uses his/her authentication device H SA to update the authentication data stored in the corresponding department's authentication device. The steps are shown as follows: Step 1: Server computes K i = H(ID A 1 ||Master 1 ) for the new executive A i .
Step 2: Server selects e i for A i , and computes d i such that d i × e i ≡ 1 (mod φ(n)), where gcd(e i , φ(n)) = 1 and e i is different from the existing e i 's.
Step 3: Server computes SK i = g d i mod n for A i .
Step 4: Server stores H(.), n, g, MS, SK i , ID A 1 and K i in the authentication device H A 1 of the new executive A i .
Step 5: Server randomly generates a dedicated authentication code S j for the department authentication device D j of the influenced department C j , where D j ∈{D k |k = 1, 2, . . . , w}.
Step 9: H SA executes the department authentication device setup phase to update the authentication data stored in the influenced department C j 's authentication device D j .

Property Analysis and Further Analysis
In the following, property analysis is first made to demonstrate that the five properties secretly mentioned are ensured to meet the requirements of the designed offline non-repudiation and anonymity-ensured authentication system. Then, comparisons between authentication schemes ensuring anonymity and ours are made. Finally, further security analysis is conducted to show that our scheme can resist common attacks and the correctness is ensured.

Property Analysis
As previously mentioned, the proposed offline non-repudiation and anonymityensured authentication system needs to possess the following properties to comply with the desired requirements: 1.
The legitimacy of a user can be verified offline.

2.
Data transmitted between the department's authentication device and the executive's or system administrator's authentication device must be protected.

5.
Management can be easily conducted because authentication data stored in the executive's authentication device does not need to be updated even when personnel changes are made.
The corresponding analysis is performed as follows.

Offline Authentication
In the authentication phase, if executive A i wants to manage or inspect C j , he/she must be authenticated by the authentication device D j of C j with his/her own authentication device H A i . A i can authenticate D j independently without the management server Server's help, and A i authenticates D j by checking whether check and check are equal or not, where check = H(R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j ).
Meanwhile, D j also verifies the legitimacy of A i by checking whether g H(ID A i ||R 1 ||R 2 ||S j ) mod n and σ e i 2 mod n are equal or not. That is, the legitimacy of a user can be verified offline.

Protection of the Transmitted Data
Assume that adversary A intercepts all messages transmitted in the department authentication device setup phase and authentication phase. H SA sends veri1, veri2, and cparas to D j in the department authentication device setup phase, where veri1 = H( ), e t j )||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )), and cparas is the ciphertext of (S j , (H(ID A 1 ), e 1 ), (H(ID A 2 ), e 2 ), . . . , (H(ID A t j ), e t j ), (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )). Because of the properties of one-way hash functions, it is hard for A to retrieve the unknown parameters, such as ID D j , G j and S j , from veri1 and veri2. On the other hand, cparas is the ciphertext of (S j , (H(ID A 1 ), e 1 ), (H(ID A 2 ), e 2 ), . . . , (H(ID A t j ), e t j ), (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )) with the encryption key TK = H(R 1 ||R 2 ||G j ||ID D j ). Because G j and ID D j are unknown, A cannot obtain TK to decrypt cparas to retrieve S j . On the other hand, in the authentication phase, D j sends R 2 , PID, cshares, and check to H A i , where PID = TMS ⊕ ID D j , check = H(R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j ), and cshares is the ciphertext of ((r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )) with the encryption key TMS = H(R 1 ||R 2 ||MS). Then, H A i sends σ 1 and σ 2 , where σ 1 = H(R 1 ||R 2 ||S j ') ⊕ ID A i and σ 2 = SK H(ID A i ||R 1 ||R 2 ||S j ) i mod n. Firstly, because ID D j is concealed and not transmitted, A cannot retrieve TMS from PID. Secondly, because of the properties of one-way hash functions, it is hard for A to retrieve the unknown parameters, such as MS, ID D j and S j , from check. Thirdly, because MS is unknown, A cannot obtain TMS to decrypt cshares or retrieve ID D j from PID. Fourthly, because S j is unknown, it is impossible for A to retrieve ID A i from σ 1 .
Because of the above, it is ensured that data transmitted between the department's authentication device and the executive's or system administrator's authentication device is protected.

Anonymity and Untraceability
In the proposed scheme, the identities of all entities are not transmitted without being concealed through public channels. Firstly, D j sends PID and check to H A i , where PID = TMS ⊕ ID D j , check = H(R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j ), and TMS = H(R 1 ||R 2 ||MS). Because of the properties of one-way hash functions, it is hard to retrieve the unknown parameters, such as MS, ID D j and S j , from check. Thus, TMS cannot be obtained to retrieve ID D j from PID. Then, H A i sends σ 1 and σ 2 , where σ 1 = H(R 1 ||R 2 ||S j ') ⊕ ID A i and σ 2 = SK H(ID A i ||R 1 ||R 2 ||S j ) i mod n. Because S j is unknown, it is impossible to retrieve ID A i from σ 1 . Furthermore, all parameters transmitted in the authentication phase are computed with fresh random numbers R 1 and R 2 . Consequently, transmitted parameters in one session must differ from those in other sessions.
According to the above, it is shown that no one can trace a specific entity or reveal the communication party's identity. Thus, anonymity and untraceability are ensured in the proposed scheme.
On the other hand, H A i computes σ 1 = H(R 1 ||R 2 ||S j ') ⊕ ID A i and Then, H A i send σ 1 and σ 2 to D j . After receiving σ 1 and σ 2 , D j computes ID A i = H(R 1 ||R 2 ||S j ) ⊕ σ 1 . Then, D j uses ID A i as the index to find the matched (H(ID A i ), e i ) and checks whether g H(ID A i ||R 1 ||R 2 ||S j ) mod n and σ e i 2 mod n are equal or not. Because ID A i is concealed when it is transmitted and only H A i knows both ID A i and SK i , only H A i can compute σ 2 to be successfully authenticated by D j . Consequently, the proposed scheme ensures non-repudiation.

Simplified Management
When the authorized management personnel of a department changes, the authentication data update phase will be executed. If a new executive joins, Server only computes K i , d i , and SK i for the new executive A i and stores the parameters in A i 's H A i . Then, Server only needs to compute the required parameters for the influenced departments while authentication data kept by the remaining executives does not need to be updated. This approach can greatly eliminate extra burdens and simplify management.

Comparisons between Authentication Schemes Ensuring Anonymity and the Proposed User Authentication Scheme
The proposed user authentication scheme ensures anonymity. To show that our scheme possesses superior properties, comparisons between authentication schemes ensuring anonymity [5,6,[11][12][13][14][15][16][17][18][19] and the proposed user authentication scheme are made as follows. Authentication schemes [5,[15][16][17] proposed for healthcare use biometrics as a factor to authenticate users, and this approach produces extra components to extract the biometrics needed. Authentication schemes were proposed for IoT applications [6,11,12], VANET [13,18,19], and cloud computing applications [13,14]. Users in these authentication schemes [5,6,[11][12][13][14][15][16][17][18][19] need to register with a trusted authentication server, and be authenticated online when accessing services, where users may be authenticated by the trusted authentication server directly or by other servers with the trusted authentication server's help. In the proposed scheme, a user/executive can be authenticated offline, and no extra component is needed. These properties enable the proposed scheme to work well without being influenced by the failure of networks or the backend authentication server, and the cost is reduced.

Further Security Analysis
In the following, further security analysis is conducted to show that our scheme can resist common attacks and the correctness is ensured.

Resistance to Impersonation Attack
In the department authentication device setup phase, adversary A can impersonate neither SA's authentication device H SA nor the department authentication device D j . Why A cannot successfully mount an impersonation attack in the department authentication device setup phase is shown as follows. If A wants to impersonate H SA and setup D j , he/she needs to send veri1, veri2, and cparas to D j , where veri1 = H( ), e t j )||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )), cparas is the ciphertext of (S j , (H(ID A 1 ), e 1 ), (H(ID A 2 ), e 2 ), . . . , (H(ID A t j ), e t j ), (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )) encrypted with the encryption key TK, and TK = H(R 1 ||R 2 ||G j ||ID D j ). However, it is impossible for A to compute correct veri1, veri2 and cparas because the secret G j is unknown, where G j = H(ID D j ||Master 2 ). As a result, D j will detect that the other party is not H SA when it computes veri1 = H(R 1 ||R 2 ||ID D j ||G j ) and checks whether veri1 and veri1 are equal or not. On the other hand, if A wants to impersonate D j to cheat H SA and get essential data, he/she will send R 2 to H SA and get veri1, veri2, and cparas. Unfortunately, A does not know G j such that TK cannot be computed. As a result, cparas cannot be decrypted to retrieve S j . Moreover, because of the properties of hash functions, ID D j and other concealed parameters cannot be retrieved from veri1 and veri2. Consequently, A can impersonate neither H SA nor D j to threaten the proposed scheme in the department authentication device setup phase. On the other hand, adversary A can impersonate either an executive's authentication device H A i or D j in the authentication phase. Why A cannot successfully mount an impersonation attack in the authentication phase is shown as follows. If A wants to impersonate D j to cheat H A i , A needs to send R 2 , PID, cshares, and check to H A i , where PID = TMS ⊕ ID D j , check = H(R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j ), and cshares is the ciphertext of ((r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )) with the encryption key TMS = H(R 1 ||R 2 ||MS). After receiving R 2 , PID, cshares and check, H A i computes TMS = H(R 1 ||R 2 ||MS), decrypts cshares with TMS to retrieve (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j ), and uses these shares and (ID A i , K i ) to obtain S j .
Then, H A i computes ID D j = TMS ⊕ PID and check = H(R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j ) and checks whether check and check are equal or not. Because ID D j is concealed when it is transmitted and only legal D j knows both ID D j and S j , only legal D j can compute check to be successfully authenticated by H A i x. That is, A cannot impersonate D j to cheat H A i . On the other hand, if A wants to impersonate H A i to cheat D j and obtain the desired rights, A needs to send correct After receiving σ 1 and σ 2 , D j computes ID A i = H(R 1 ||R 2 ||S j ) ⊕ σ 1 , uses ID A i as the index to find the matched (H(ID A i ), e i ), and checks whether g H(ID A i ||R 1 ||R 2 ||S j ) mod n and σ e i 2 mod n are equal or not. Because ID A i is concealed when it is transmitted and only H A i knows both ID A i and SK i , only legal H A i can compute correct σ 2 to be successfully authenticated by D j . Thus, it is impossible for A to compute correct σ 1 and σ 2 and cheat D j . Consequently, A can impersonate neither H A i nor D j to threaten the proposed scheme in the authentication phase.

Resistance to Replay Attack
When adversary A eavesdrops and attempts to mount a replay attack and set D j in the department authentication device setup phase, he/she can send R 1 , veri1, veri2, and cparas to D j of one previous session D j , where veri1 = H(R 1 ||R 2 ||ID D j ||G j ), veri2 = H(R 1 ||R 2 ||ID D j ||G j ||S j || (H(ID A 1 ), e 1 )||(H(ID A 2 ), e 2 )|| . . . ||(H(ID A t j ), e t j )||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )), cparas is the ciphertext of , e t j ), (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )) encrypted with the encryption key TK, and TK = H(R 1 ||R 2 ||G j ||ID D j ). However, because the random number R 2 is chosen by D j , R 2 in the present session must differ from that intercepted in the previous session. Thus, the resent veri1 must differ from the correct veri1 computed by D j in the present session, and A cannot successfully mount a replay attack in the department authentication device setup phase. On the other hand, when A eavesdrops and attempts to mount a replay attack in the authentication phase, he/she can perform as follows. First, A can send R 2 , PID, cshares, and check of one previous session to H A i , where PID = TMS ⊕ ID D j , check = H(R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j ), and cshares is the ciphertext of ((r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )) with the encryption key TMS = H(R 1 ||R 2 ||MS). However, because the random number R 1 is chosen by H A i , R 1 in the present session must differ from that intercepted in the previous session. Thus, TMS of the previous session must differ from the correct TMS computed by H A i in the present session, and H A i cannot retrieve correct ((r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )), ID D j and S j . Thereupon, check computed by H A i in the present session must differ from the resent check, and H A i will detect that the other party is not D j . Second, A can send σ 1 and σ 2 of one previous session to D j , where σ 1 = H(R 1 ||R 2 ||S j ) ⊕ ID A i and Then, D j uses ID A i as the index to find the matched (H(ID A i ), e i ) and checks whether g H(ID A i ||R 1 ||R 2 ||S j ) mod n and σ e i 2 mod n are equal or not. However, because the random number R 2 is chosen by D j , R 2 in the present session must differ from that intercepted in the previous session. Thus, ID A i computed by D j in the present session must differ from the correct ID A i , such that no matched (H(ID A i ), e i ) can be found. From now on, D j will detect that the other party is not H A i . From the above, it is shown that A cannot mount a replay attack successfully in the authentication phase, either.

Resistance to Man-in-the-Middle Attack
Man-in-the-middle attack is a type of eavesdropping, where an attacker may intercept, control the exchanged messages, and further capture or manipulate sensitive data without being noticed. When adversary A wants to mount a man-in-the-middle attack in our scheme, he/she cannot succeed in either the department authentication device setup phase or authentication phase. How the proposed scheme can defend against a man-in-the-middle attack is shown as follows.
On the other hand, in the authentication phase, D j sends R 2 , PID, cshares, and check to H A i , where PID = TMS ⊕ ID D j , check = H(R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j ), and cshares is the ciphertext of ((r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )) with TMS = H(R 1 ||R 2 ||MS). Then, H A i sends σ 1 and σ 2 , where σ 1 = H(R 1 ||R 2 ||S j ) ⊕ ID A i and σ 2 = SK H(ID A i ||R 1 ||R 2 ||S j ) i mod n. Firstly, because ID D j is concealed and not transmitted, A cannot retrieve TMS from PID. Secondly, because of the properties of one-way hash functions, it is hard for A to retrieve the unknown parameters, such as MS, ID D j and S j , from check. Thirdly, because MS is unknown, A can neither obtain TMS to decrypt cshares nor retrieve ID D j from PID. Fourthly, because S j is unknown, it is impossible for A to retrieve ID A i from σ 1 . Furthermore, A cannot control the exchanged messages in the authentication phase, either.

Proof of Correctness
In the initialization phase, the management server Server determines Set 1 and Set 2 and initializes a department C j 's department authentication device D j for j = 1, 2, . . . , w. Then, Server confirms the corresponding executives of all departments, computes the authentication data for all executives and departments, stores personal authentication data of the executive A i in his/her authentication device H A i , and stores department authentication data in SA's authentication device H SA . The fundamental principle of the proposed scheme is only a legal and authorized executive can use his/her authentication device to be successfully authenticated by the corresponding department authentication device while authentication data stored in the executive's authentication device does not need to be updated even when personnel changes are made. To achieve this goal, Server uses (ID A 1 , K 1 ), (ID A 2 , K 2 ), . . . , (ID A t j , K t j ) of executives A 1 , A 2 , . . . , A t j who are authorized to manage or inspect C j , and (0, S j ) to obtain the polynomial P j (x) = a t j x t j + a t j −1 x t j −1 + . . . + a 1 x + S j mod n, where t j is the number of authorized executives who can manage or inspect C j , {A 1 , A 2 , . . . , A t j } ⊆ {A i |i = 1, 2, . . . , m}, P j (0) = S j , P j (ID A 1 ) = K 1 , P j (ID A 2 ) = K 2 , . . . , and P j (ID A t j ) = K t j . After obtaining the polynomial P j (x), Server randomly generates r j,1 , r j,2 , . . . , r j,t j and computes Share j,1 = P j (r j,1 ), Share j,2 = P j (r j,2 ), . . . , Share j,t j = P j (r j,t j ), where r j,1 , r j,2 , . . . , r j,t j are less than min(p, q), r j,1 , r j,2 , . . . , r j,t j are different from each other and r j,1 , r j,2 , . . . , r j,t j are different from ID A 1 , ID A 2 , . . . , ID A t j . Server stores H(.), n, g, MS, ID D j , G j , (H(ID A 1 ), e 1 ), (H(ID A 2 ), e 2 ), . . . , (H(ID A t j ), e t j ), (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j ) and S j in the system administrator SA's authentication device H SA , where j = 1, 2, . . . , w.
Later, SA can initialize the authentication data in C j 's department authentication device D j in the department authentication device setup phase such that S j , (H(ID A 1 ), e 1 ), (H(ID A 2 ), e 2 ), . . . , (H(ID A t j ), e t j ), (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j ) are stored in D j . Thereupon, in the authentication phase, H A i uses (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j ) and (ID A i , K i ) to set the parameters q 0 = ID A i , Q 0 = K i , q 1 = r j,1 , Q 1 = Share j,1 , q 2 = r j,2 , Q 2 = Share j,2 , . . . , q t j = r j,t j , Q t j = Share j,t j . Then, Because t j is the number of authorized executives who can manage or inspect C j and the polynomial P j (x) of degree t j , Server obtains P j (x) with (ID A 1 , K 1 ), (ID A 2 , K 2 ), . . . , (ID A t j , K t j ) and (0, S j ), where P j (0) = S j , P j (ID A 1 ) = K 1 , P j (ID A 2 ) = K 2 , . . . , and P j (ID A t j ) = K t j . After P j (x) is obtained, Share j,1 , Share j,2 , . . . , Share j,t j can be easily computed, where Share j,1 = P j (r j,1 ), Share j,2 = P j (r j,2 ), . . . , Share j,t j = P j (r j,t j ). An authorized executive . . , (ID A t j , K t j )} can retrieve P j (x) of degree t j , when (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j ) are obtained. On the other hand, because the constant term S j of P j (x) is the dedicated authentication code for D j , H A i utilizes the Lagrange interpolation formula to compute S j = ∑ t j u=0 J u ×Q u mod n to retrieve S j only, instead of the polynomial . From the above, the correctness can be ensured.

Performance Evaluation and Further Discussion
This section evaluates the performance of the proposed scheme. The test was implemented in Python 3 on a personal computer with Intel (R) Core (TM) i7-9750H 2.60 GHz CPU, 16.0 GB RAM, and a 64-bits Windows 10 operating system. The analysis was divided into two categories: (1) communication cost and (2) computational cost. To ensure security, in the evaluation, SHA-256 and AES with a block size of 128 bits and a key length of 256 bits are adopted, and the lengths of p, q, and n are 1024-bit, 1024-bit, and 2048-bit, respectively. In Section 6.1, we evaluate the communication costs of the department authentication device setup and authentication phases in which messages are transmitted. Section 6.2 analyzes the computational costs for the initialization, department authentication device setup and authentication phases. In Section 6.3, further discussion is presented.

Analysis of Communication Cost
The proposed user authentication scheme can be regarded as an application layer protocol. How to transmit data between devices and fix bit errors are defined by transmission standards such as Bluetooth. To analyze the communication cost of the proposed scheme, the extra data transmission resulting from transmission standards is not taken into consideration. The communication cost for one phase is the number of bits of messages exchanged in this phase. In the proposed scheme, messages are exchanged in only the department authentication device setup phase and authentication phase, so communication costs for these two phases are evaluated. The communication cost for the proposed scheme is shown in Table 2. For generality, let t j represent the total number of executives who can manage and inspect C j . In the department authentication device setup phase, three messages are exchanged. The first message contains a 2048-bit random number R 1 . Then, the second message contains another 2048-bit random number R 2 . The third message contains cparas and two hash values, veri1 and veri2. Because cparas is the ciphertext of {S j , (H(ID A 1 ), e 1 ), (H(ID A 2 ), e 2 ), . . . , (H(ID A t j ), e t j ), (r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )}, its size is 2048 + t j × (256 + 2048) + t j × (2048 + 2048) = (2048 + 6400t j ) bits. Therefore, the size of the messages transmitted in the department authentication device setup phase is (6656 + 6400t j ) bits. In the authentication phase, three messages are exchanged. The first message contains one 2048-bit random number R 1 . The second message contains one 2048-bit random number R 2 , PID, cshares, and one hash value check. Because cshares is the ciphertext of ((r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )), its size is (2048 + 2048) × t j = 4096t j bits. The size of PID is 256 bits because PID = TMS ⊕ ID D j . The size of check is 256 bits. So, the size of the second message is 2048 + 256 + t j × (2048 + 2048) + 256 = (2560 + 4096t j ) bits. The third message contains σ 1 and σ 2 . The size of σ 1 is 256 bits because σ 1 = H(R 1 ||R 2 ||S j ') ⊕ ID A i . Because the length of n is 2048 bits, the size of σ 2 = SK H(ID A i ||R 1 ||R 2 ||S j ) i mod n is also 2048 bits. Thus, the size of the third message is 256+2048 = 2304 bits. The size of the messages transmitted in the authentication phase is 2048 + 2560 + 4096t j + 2304 = (6912 + 4096t j ) bits. The total communication cost of the proposed scheme is (13,568 + 10,496t j ) bits.

Analysis of Computational Cost
There are four phases in the proposed scheme: initialization phase, department authentication device setup phase, authentication phase, and authentication data update phase. Because the authentication data update phase is similar to the initialization phase, we simulate the initialization phase, department authentication device setup phase, and authentication phase to evaluate the computational cost of the proposed scheme. In the simulation, t j denotes the total number of executives who can manage and inspect C j , and t j ∈ {2, 5, 10, 20, 30, 50}. To eliminate the influence of unpredictable factors and make the evaluation essential, we run the simulation 1000 times and compute the average computational costs. The computational costs for the initialization phase, department authentication device setup phase, and authentication phase are shown in Figures 6-8, respectively. H A i spends 1.01 milliseconds, 1.02 milliseconds, 1.12 milliseconds, 1.19 milliseconds, 1.93 milliseconds, and 2.82 milliseconds in the authentication phase, respectively.
By the above analysis, it is ensured that the proposed scheme can ensure efficiency and be applied in real-time applications because the time for authentication is far less than one second. On the other hand, although the proposed scheme is designed to help an executive to be authenticated by the department authentication device, it can also be utilized for access control of small-sized enterprises/facilities/apartment complexes while workers/members/residents instead of executives are authenticated.

Further Discussion
In this subsection, we demonstrate the unpredictable factors encountered when we run the simulation. As shown in the previous analysis, many parameters are positively correlated to tj. In ideal circumstances, the computational costs of computing these parameters should be proportional to tj. However, after the simulation is run, the outcome is different from that expected. With further analysis, three unpredictable factors that may affect the simulation are found. The details are as follows. In the initialization phase, Server performs three tasks: (1) initializing the department's authentication device D j , (2) initializing the executive's authentication device H A i , and (3) initializing the system administrator's authentication device H SA . In the first task, Server computes G j = H(ID D j ||Master 2 ). The computational cost of this task is independent of t j , and it takes 0.00720 milliseconds. In the second task, the server computes K i , d i , and SK i for the executive's authentication device H A i . Similar to the first task, the computational cost of the second task is independent of t j , and initializing H A i takes 3.09 milliseconds. Server computes Share j,t j for the system administrator's authentication device H SA with the polynomial P j (x) in the third task. There exists a positive correlation between the degree of the polynomial P j (x) and t j . When t j increases, both the degree of the polynomial P j (x) and time required to obtain the polynomial increase. Because t j varies and t j ∈{2, 5, 10, 20, 30, 50}, the computational costs for the third task are 0.0600 milliseconds, 0.384 milliseconds, 4.53 milliseconds, 75.31 milliseconds, 411 milliseconds, and 3090 milliseconds, respectively. To summarize, the total computational costs for the initialization phase with t j ∈{2, 5, 10, 20, 30, 50} are 5.64 milliseconds, 14.0 milliseconds, 32.0 milliseconds, 156 milliseconds, 500 milliseconds, and 3240 milliseconds, respectively.
In the authentication phase, D j and H A i authenticate each other. D j computes TMS, PID and check and encrypt ((r j,1 , Share j,1 ), (r j,2 , Share j,2 ), . . . , (r j,t j , Share j,t j )) to get cshares with AES. D j has to retrieve ID A i and compute σ e i 2 mod n with the matched e i after receiving the message sent from H A i . check is the hash value of ((R 1 ||R 2 ||(r j,1 , Share j,1 ) ||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j )), so the time needed to compute check is positively correlated to t j . Similarly, when t j increases, the time needed for encryption will also increase. Thus, for t j ∈ {2, 5, 10, 20, 30, 50}, D j spends 0.823 milliseconds, 0.841 milliseconds, 0.877 milliseconds, 0.893 milliseconds, 1.13 milliseconds, and 1.15 milliseconds in the authentication phase, respectively.
On the other hand, H A i uses AES to decrypt cshares after computing TMS', S j ', ID D j , check , σ 1 and σ 2 in the authentication phase. check is the hash value of ((R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j )), so the time needed to compute check is positively correlated to t j . Similarly, when t j increases, the time needed for decryption will also increase. In the proposed scheme, Lagrange interpolation is utilized to compute S j , so t j is also positively correlated to the time needed to compute S j . That is, the larger t j is, the longer it takes to compute S j . Then, for t j ∈{2, 5, 10, 20, 30, 50}, H A i spends 1.01 milliseconds, 1.02 milliseconds, 1.12 milliseconds, 1.19 milliseconds, 1.93 milliseconds, and 2.82 milliseconds in the authentication phase, respectively.
By the above analysis, it is ensured that the proposed scheme can ensure efficiency and be applied in real-time applications because the time for authentication is far less than one second. On the other hand, although the proposed scheme is designed to help an executive to be authenticated by the department authentication device, it can also be utilized for access control of small-sized enterprises/facilities/apartment complexes while workers/members/residents instead of executives are authenticated.

Further Discussion
In this subsection, we demonstrate the unpredictable factors encountered when we run the simulation. As shown in the previous analysis, many parameters are positively correlated to t j . In ideal circumstances, the computational costs of computing these parameters should be proportional to t j . However, after the simulation is run, the outcome is different from that expected. With further analysis, three unpredictable factors that may affect the simulation are found. The details are as follows.

Data Type Conversion
In our proposed system, over 100 parameters are used to compute variables. And data type conversion of these parameters and variables may impact the computational cost. In the authentication phase, for instance, D j has to compute check = H(R 1 ||R 2 ||(r j,1 , Share j,1 )||(r j,2 , Share j,2 )|| . . . ||(r j,t j , Share j,t j )||MS||ID D j ||S j ), where all input parameters and variables of the one-way hash function are integers. Integers cannot be concatenated directly, so data type conversion is needed to convert the integer to a string. Moreover, the time for data type conversion is neither constant nor linear. Consequently, data type conversion is an unpredictable factor that may influence the computational cost.

Insufficient Memory
In the initialization phase, the management server Server obtains the polynomial P j (x) = a t j x t j + a t j −1 x t j −1 + . . . + a 1 x + S j mod n and computes Share j,1 = P j (r j,1 ), Share j,2 = P j (r j,2 ), . . . , Share j,t j = P j (r j,t j ). All Share's computed by the polynomial are integers, and they represent the sum of parameters and variables. At first, Python allocates a small amount of memory to store the variable Share. However, when the size of Share increases, the allocated memory is insufficient. This results in Python having to allocate more memory to store Share. This approach increases the computational cost in the simulation. Consequently, insufficient memory is another unpredictable factor that may influence the computational cost.

Number System Conversion
When one operation manipulates two or more numbers of different or undesired bases, number system conversion is needed. In the authentication phase, for instance, the executive's authentication device H A i computes σ 1 = H(R 1 ||R 2 ||S j ') ⊕ ID A i , where σ 1 is computed with a hash value and an identity. Hash values are hexadecimal numbers, and all identities are decimal numbers after the data type conversion. That is, before σ 1 is computed, both H(R 1 ||R 2 ||S j ') and ID A i need to be converted to binary numbers. However, number system conversion may increase the computational cost. Moreover, the time for number system conversion is neither constant nor linear. Thus, number system conversion is also an unpredictable factor that may influence the computational cost.

Conclusions
This paper proposes an offline user authentication system that ensures non-repudiation and anonymity. With the proposed scheme, management can be easily conducted even when personnel changes are made. We show that the proposed scheme satisfies the desired requirements and can resist common attacks. Additionally, we evaluate its performance by analyzing communication cost and computational cost, and further discussion shows three unpredictable factors that may affect the computational cost in the simulation. By the analysis and evaluation mentioned above, it is ensured that the proposed offline user authentication system can be applied to real-time applications that possess the same requirements in the real world.