Formal Security-Proved Mobile Anonymous Authentication Protocols with Credit-Based Chargeability and Controllable Privacy ^†

Abstract

Smart mobile phones are widely popularized and advanced mobile communication services are provided increasingly often, such that ubiquitous computing environments will soon be a reality. However, there are many security threats to mobile networks and their impact on security is more serious than that in wireline networks owing to the features of wireless transmissions and the ubiquity property. The secret information which mobile users carry may be stolen by malicious entities. To guarantee the quality of advanced services, security and privacy would be important issues when users roam within various mobile networks. In this manuscript, an anonymous authentication scheme will be proposed to protect the security of the network system and the privacy of users. Not only does the proposed scheme provide mutual authentication between each user and the system, but also each user’s identity is kept secret against anyone else, including the system. Although the system anonymously authenticates the users, it can still generate correct bills to charge these anonymous users via a credit-based solution instead of debit-based ones. Furthermore, our protocols also achieve fair privacy which allows the judge to revoke the anonymity and trace the illegal users when they have misused the anonymity property, for example, if they have committed crimes. Finally, in this paper, we also carry out complete theoretical proofs on each claimed security property.

1. Introduction

Recently, mobile communication is becoming more and more popular such that many applications and services are provided in the mobile network environments [1]. Moreover, some countries have constructed wireless network architectures of 4G (4th Generation) mobile networks. There is also smart mobile equipment that has been produced in order for people to enjoy mobile services anywhere and anytime. It is obvious that mobile computing will penetrate people’s lives in the near future. Convenient mobile network services and powerful mobile equipment will make people all around the world become willing to join the society of mobile communications.

Mobile users may process important documents or secret personal information in their mobile equipment when they roam around the mobile networks. They might worry about whether it is secure for them to carry their important data to the mobile networks. When mobile users exchange messages in the mobile networks, they will face lots of security threats. The eavesdroppers may try to obtain their transmitted messages, their real identities, and even their locations where they are roaming around [2]. The more information the eavesdroppers know, the less security and privacy the mobile users preserve. Sometimes the vicious insiders of the system operator would disclose the classified information of mobile users. Any system without maintaining user privacy will not be acceptable in the future [3,4,5].

There exist some weaknesses on user privacy in the existent 2G mobile network system. Each mobile user’s alias, TMSI, can be linked to her/his real identity, IMSI, by attackers when the VLR requests her/him to retransmit her/his IMSI. The 2G mobile network also has no design for satisfying mutual authentication and protecting the users’ privacy against the system operator. A mobile user may be cheated by some fake base stations in a mobile network system due to lack of mutual authentication. Although the 3G system has provided mutual authentication, the privacy or anonymity of mobile users has not been sufficiently considered yet.

Most of the proposed authentication schemes [6,7,8,9,10,11,12] which emphasize the privacy of mobile users usually assign an anonymous identity to each user. A mobile user will obtain an anonymous identity after she/he is successfully authenticated by the system operator, and she/he will take this valid alias to roam over the mobile networks. The eavesdroppers do not know the relation between her/his real identity and alias, but the system operator can derive the relation. To protect the user’s privacy perfectly, we hope that anyone else, even the system operator, cannot derive such relations either. Owing to the unlinkability property, the technique of blind signatures [13] can help us with realizing complete anonymity for mobile users.

Another problem is that once a mobile user gets anonymity, how can the system operator charge her/him when she/he requests the mobile network services via an anonymous identity? Especially, how can the system charge the user via a credit-based way, which is the most commonly-used billing solution and has been accepted by almost all of the mobile users? Further more, if there is some mobile user who misused the anonymity property to commit crimes, how can the judge handle it? All of the current solutions cannot cope with all of the above problems at the same time.

In our solution, every mobile user is anonymous from the system operator and any other person’s point of view when she/he is accessing the mobile network resources. Furthermore, the system operator can charge the mobile user according to the communication time the user consumed via a credit-based way. Moreover, we also consider the issue of fair privacy. The privacy of the mobile users who misused the anonymity property can be revoked by the judge, and the police can trace the criminals who have gotten anonymity. This is the property of fair privacy. We simultaneously realize the anonymity, credit-based chargeability, and fair privacy (revokeability and traceability) in our proposed authentication protocols for mobile communications.

We produced a related work [14] which introduced the basic idea of this research. In this manuscript, we proposed more security features: Unlinkability, Unforgeability, Tamper Resistance, Swindling Resistance, Secure Mutual Authentication, and Secure Authenticated Key Exchange. Furthermore, the formal security proofs guarantee the security strength of the proposed system. Besides, we also did implementation to show the practical computation cost on cellphone.

2. Some Requirements for Anonymous Authentication

In mobile network environments, we need the following requirements for anonymous authentication.

• Dynamic anonymous identity: When an anonymous user uses the same anonymous identity to roam over the mobile network for all sessions, her/his identity may be exposed by analyzing her/his behavior. We think that an anonymous user should use different anonymous identities for different sessions when she/he roams over the mobile network.
• No relation between any two aliases: The privacy of a mobile user will be broken if the relations between any two aliases of the user are disclosed.
• No mapping table, which contains the mapping between each real identity and its corresponding anonymous identity, stored in the system operator: The system operator authenticates an anonymous user directly without maintaining a database to record a mapping between all of the user’s anonymous identities and the user’s real identity. This will make it possible for the user to gain her/his privacy against the system, and the system can save its storage space.
• Authenticated key agreement: After anonymous authentication between the system and an anonymous user, a shared session key will be established. If the user shares a long-term key with the system in advance and derives the session key via the shared long-term key, the system can trace her/him by recognizing the long-term key embedded in the session key. Hence, in order to preserve user anonymity, the system and the user have to establish their session key without sharing any key or information in advance. Besides, all session keys should be mutually independent from each other.
• Traceability in some situations: If there exist malicious users, a trusted third party must be able to revoke their privacy. An anonymous authentication protocol should own the feature of revokable anonymity in order to deal with the above situation.
• Credit-based chargeability: When a user conceals her/his identity from the system operator, it will be hard for the system to charge the anonymous user after she/he utilizes the network services. An anonymous authentication scheme for mobile communications should allow the system operator to charge anonymous mobile users via the popularized credit-based way without revealing their identities. The credit-based chargeability in the proposed system means that any user does not need to pay, even pay with a credit card, before she/he uses the services of the system. Every consumption of the user will be accumulated in her/his ticket. The ticket has a life cycle and the user should return the ticket to the system at the end of the cycle, say the end of each month. Finally, the system will send the user a bill which includes the total amount of the consumption retrieved from the ticket.

3. The Proposed Protocols

First, we define and explain some notations as follows:

• $MS$, H, V: These are three participants in our protocols. $MS$ is a mobile user, H is the server of the home network, and V is the server of a visiting network.
• $I{D}_{MS}$: the real identity of $MS$.
• $E_x,D_x$: $E_x$ is a semantic secure encryption function [15] and $D_x$ is the decryption function corresponding to $E_x$ where x can be an input symmetric key or public/private key.
• $k_{ms\_h},k_{ms\_v},k_{v\_h}$: The shared session keys between $MS$ and H, $MS$ and V, and V and H, respectively.
• $(p{k}_J,s{k}_J)$ and $(p{k}_V,s{k}_V)$: $(p{k}_J,s{k}_J)$ is the public/private key pair of the judge and $(p{k}_V,s{k}_V)$ is the public/private key pair of V.
• $l_r$: a security parameter.
• $F_1$, $F_2$, and $F_3$: three one-way hash functions.
• A judge device: The judge issues a tamper-resistant device which contains {a random-number generator, a symmetric-key cryptosystem, a public-key cryptosystem, a public-private key pair of the judge, $F_1$, $F_2$}. This device will be integrated into the system of H. It is impossible to steal or modify any information embedded in the device. In our scheme, the judge is an off-line party, i.e., the judge does not need to keep connection with H in our protocols, but the judge device does. In practice, the judge device can be implemented by the technique of TPM (Trusted Platform Module) [16] which is maintained by the Trusted Computing Group [17]. Nowadays, TPMs are also embedded in mobile phones and notebook computers [18].
• γ: This is a due date. As shown in Figure 1, if a mobile user requests a ticket for communication in time slot $P_i$, H will assign her/him the due date ${\gamma }_{i+1}$ where ${\gamma }_{i+1}$ is the last day of next time slot $P_{i+1}$. H assigns the same γ to each mobile user who requests a ticket in the same time slot. All time slots are equally long.

Our scheme consists of four protocols which are described in Section 3.3, Section 3.4, Section 3.5 and Section 3.6, respectively. In our scheme, a mobile user requests an anonymous ticket by performing the protocol in Section 3.3. Then she/he can use the anonymous ticket for network services by executing the protocol in Section 3.4. After she/he performs the protocol in Section 3.4 for network services, H can charge her/him on the due date via the protocol in Section 3.5. Especially, if she/he does something illegal, the judge and the police can revoke her/his privacy or trace her/him through the protocol in Section 3.6.

3.1. Overview of Our Proposed Scheme

In this section, we describe how a mobile user obtains anonymity, how the system charges an anonymous user via a credit-based method, and how the judge revokes the anonymity from an anonymous user who does something malicious.

In our scheme, a mobile user has to request an anonymous ticket first and then uses it for authentication. As shown in Figure 2, when the mobile user request a ticket, the system, V and H, will send her/him a blinded ticket with her/his the identity $ID$ and an initial value $w=0$. The mobile user gets anonymity by unblinding the obtained ticket.

The system charges the mobile user by a credit-based way as follows. Each time the mobile user consumes her/his ticket for mobile network services, the system will return her/him a new one which contains an updated value $(w+w^{\prime })$ where $w^{\prime }$ is the value of the money H wants to charge the user for this time of communication service. Finally, the user must return her/his current unused ticket to the system on the due date of the ticket and the system will send her/him a bill which contains the accumulated value retrieved from the returned ticket of the user. During the services, the user is anonymous to the system under the protection from our proposed anonymity mechanism.

However, if the user does something malicious, the judge can revoke her/his anonymity by extracting her/his identity from the ticket and the police can trace the user via the embedded identity.

3.2. Key Generation

H chooses two distinct large primes $p_H$ and $q_H$ and computes $n_H=p_H{q}_H$. H also selects its public key $e_H$ and the private key $d_H$ such that $e_H{d}_H\equiv 1(mod\varphi \left(n_H\right))$ where $\varphi \left(n_H\right)=(p_H-1)(q_H-1)$. Finally, H publishes $\{n_H,e_H,F_1,F_2,F_3\}$ and keeps {$p_H,q_H,d_H$} secret. Besides, H also publishes all time slots $P_i$s, $i\in \{1,2,3,...\}$, i.e., all of the due dates γ’s are published.

3.3. The Protocol for Requesting an Initial Anonymous Ticket

In our scheme, the mobile user, $MS$, can request an anonymous ticket by running the protocol in this section after she/he performs any existing secure mutual authentication protocol with the system, V and H. There exists a secure channel between V and H where the shared encryption key is $k_{v\_h}$. This protocol contains the following steps and it is also shown in Figure 3.

• $MS\to H:(\alpha ,\theta )$.
  First, $MS$ randomly generates two $l_r$-bit strings $(m$, $k)$ and an integer $r\in {\mathbb{Z}}_{n_H}^{*}$. Then $MS$ computes

  $$\alpha =r^{e_H}{F}_1^2\left(m\right)mod{n}_H$$

  (1)

  and $\theta =E_{p{k}_J}(k,I{D}_{MS})$. Finally, $MS$ submits $(\alpha ,\theta )$ to H.
• $H\to$ The judge device $:(\mu$, γ, $\theta )$.
  In this step, H knows that $MS$, whose real identity is $I{D}_{MS}$, wants to request a ticket. Let $\mu =I{D}_{MS}$ and γ be the last day of next time slot. Then H inputs $(\mu$, γ, $\theta )$ into the judge device. H also records that $I{D}_{MS}$ has bought a ticket in the current time slot and she/he will have to return an unused ticket on the due date γ for billing.
• The judge device $\to H:(\beta$, ρ, $\xi )$.
  First, the judge device decrypts θ by computing $D_{s{k}_J}\left(\theta \right)$ and parses the result as $(k,I{D}_{MS})$. Then it checks if $\mu =I{D}_{MS}$. If true, it randomly generates two $l_r$-bit strings $(r_j,r_z)$ and an integer $b\in {\mathbb{Z}}_{n_H}^{*}$. Then it sets $w=0$ and computes $\delta =E_{p{k}_J}(I{D}_{MS},F_1\left(r_z\right))$, $\sigma =E_{p{k}_J}(w,r_j)$, and

  $$\beta =b^{e_H}{F}_2(\delta ,\sigma ,\gamma )mod{n}_H$$

  (2)

  Finally, it computes $\rho =E_k(\delta$, b, $\sigma )$ and $\xi =E_{p{k}_J}\left(r_z\right)$ and returns $(\beta ,\rho ,\xi )$ to H.
• $H\to MS:(t,\rho ,\gamma )$.
  After receiving $(\beta ,\rho ,\xi )$, H records $(I{D}_{MS},\xi ,\gamma )$ and computes $t={\left(\alpha \beta \right)}^{d_H}mod{n}_H$. Then it sends $(t,\rho ,\gamma )$ to $MS$.
• Unblinding.
  After receiving $(t,\rho ,\gamma )$, $MS$ checks if γ is the last day of next time slot. Then she/he decrypts ρ by computing $D_k\left(\rho \right)$ and parses the result as $(\delta ,b,\sigma )$. She/He also computes

  $$s={\left(br\right)}^{-1}tmod{n}_H$$

  (3)

  Then she/he obtains a ticket $(m$, δ, σ, γ, $s)$ and can verify it by examining if the following formula is true:

  $$F_1^2\left(m\right)F_2(\delta ,\sigma ,\gamma )\equiv s^{e_H}(mod{n}_H)$$

  (4)

  Finally, $MS$ sets $i=1$ and $(m_i,{\delta }_i,{\sigma }_i,\gamma ,s_i)=(m,\delta ,\sigma ,\gamma ,s)$ and then goes to the protocol of Section 3.4 when she/he decides to use the ticket to roam the mobile networks.

3.4. The Protocol for Using an Anonymous Ticket in the ith Round before the Due Date

This protocol makes them possible for the anonymous mobile user $MS$ to perform mutual authentication with V and use her/his ticket for mobile network services. It contains the following steps and also is illustrated in Figure 4.

• $MS\to V:(\alpha ,{\theta }_1,T,{\theta }_2)$.
  First, $MS$ sets $(m^{*}$, ${\delta }^{*}$, ${\sigma }^{*}$, $s^{*})=(m_i$, ${\delta }_i$, ${\sigma }_i$, $s_i)$ and then prepares $T=(F_1\left(m^{*}\right),{\delta }^{*}$, ${\sigma }^{*}$, γ, $s^{*})$ and randomly generates 5 $l_r$-bit strings $(m^{**}$, k, $r_1$, $r_2$, $r_3)$ and an integer $r\in {\mathbb{Z}}_{n_H}^{*}$. Furthermore, $MS$ computes $\alpha =r^{e_H}{F}_1^2\left(m^{**}\right)mod{n}_H$, ${\theta }_1=E_{p{k}_J}\left(k\right)$, and ${\theta }_2=E_{p{k}_V}(r_1,r_2,r_3)$. Finally, $MS$ submits $(\alpha ,{\theta }_1,T,{\theta }_2)$ to V.
• $V\to MS:(r_1,r_4)$.
  After receiving $(\alpha ,{\theta }_1,T,{\theta }_2)$, V first verifies T by examining if

  $${\left(s^{*}\right)}^{e_H}\equiv F_1\left(F_1\left(m^{*}\right)\right)F_2({\delta }^{*},{\sigma }^{*},\gamma )(mod{n}_H)$$

  (5)

  and γ is not expired. If true, V decrypts ${\theta }_2$ to get $(r_1,r_2,r_3)$ and randomly generates an $l_r$-bit string $r_4$. Then V sends $(r_1,r_4)$ to $MS$.
• $V\to H:E_{k_{v\_h}}\left(T\right)$.
  After V sends $(r_1,r_4)$ to $MS$, it also immediately submits $E_{k_{v\_h}}\left(T\right)$ to H in order to perform the double-using checking on T. If T is doubly used, the connection will be terminated.
• $MS\to V:\left(r_5\right)$.
  After receiving $(r_1,r_4)$, $MS$ checks if $r_1$ is the same as the one which was chosen by herself/himself. Then $MS$ computes $r_5=F_3(r_2\left|\right|r_4)\oplus m^{*}$ and sends $r_5$ to V.
• Allowing Communication:
  After receiving $r_5$, V computes $m=r_5\oplus F_3(r_2\left|\right|r_4)$ and checks if $F_1\left(m\right)=F_1\left(m^{*}\right)$ where $F_1\left(m^{*}\right)$ is retrieved from T. If true, V ensures that $MS$ is the real owner of T. Therefore, V allows $MS$ to communicate with it. During the communication, they can encrypt/decrypt their messages via the session key $r_3$.

After $MS$ terminates her/his communication, she/he will get a returned ticket which will be used for the next round of authentication. As shown in Figure 5, she/he has to perform the following procedures with the system to obtain the returned ticket.

• $MS\to V:$ (Termination).
  $MS$ notifies V that she/he wants to terminate her/his communication.
• $V\to H:\left(E_{k_{v\_h}}(\alpha ,{\theta }_1,T,m^{*},w^{\prime })\right)$.
  After receiving the termination request from $MS$, V computes the spending value $w^{\prime }$ of $MS$ according to the communication time or services utilized by $MS$. Then V sends $E_{k_{v\_h}}(\alpha ,{\theta }_1,T,m^{*},w^{\prime })$ to H.
• $H\to$ The judge device: $(T$, $w^{\prime }$, ${\theta }_1)$.
  H decrypts the message received from V and stores $(T,m^{*},w^{\prime })$ into its database. Then H inputs $(T$, $w^{\prime }$, ${\theta }_1)$ into the judge device.
• The judge device $\to H:(\beta$, $\rho )$.
  When receiving $(T$, $w^{\prime }$, ${\theta }_1)$, the judge device will verify T by (5) first and verify whether the due date γ embedded in T has expired or not. If one of the above verifications fails, the judge device will return an aborting signal. Otherwise, the judge device computes $k=D_{s{k}_J}\left({\theta }_1\right)$, $(I{D}_{MS},r_z^{\prime })=D_{s{k}_J}\left({\delta }^{*}\right)$, and $(w^{*},r_j^{*})=D_{s{k}_J}\left({\sigma }^{*}\right)$ where ${\delta }^{*}$ and ${\sigma }^{*}$ are retrieved from T. Furthermore, it randomly selects a string $r_j\in {\{0,1\}}^{l_r}$ and an integer $b\in {\mathbb{Z}}_{n_H}^{*}$ and prepares ${\delta }^{**}=E_{p{k}_J}(I{D}_{MS},F_1\left(r_z^{\prime }\right))$, ${\sigma }^{**}=E_{p{k}_J}((w^{*}+w^{\prime }),r_j)$, and $\beta =b^{e_H}{F}_2({\delta }^{**},{\sigma }^{**},\gamma )mod{n}_H$. Finally, it computes $\rho =E_k({\delta }^{**}$, b, ${\sigma }^{**})$ and outputs $(\beta$, $\rho )$ to H.
• $H\to MS:(t,\rho )$.
  After receiving $(\beta$, $\rho )$, H computes $t={\left(\alpha \beta \right)}^{d_H}mod{n}_H$ and returns $(t,\rho )$ to $MS$.
• Unblinding
  After receiving $(t,\rho )$, $MS$ computes $({\delta }^{**}$, b, ${\sigma }^{**})=D_k\left(\rho \right)$ and $s^{**}={\left(br\right)}^{-1}tmod{n}_H$. $MS$ obtains a new ticket as $(m^{**},{\delta }^{**},{\sigma }^{**},\gamma ,s^{**})$ which can be verified by checking whether $F_1^2\left(m^{**}\right)F_2({\delta }^{**},{\sigma }^{**},\gamma )\equiv {\left(s^{**}\right)}^{e_H}(mod{n}_H)$ is true or not. If true, $MS$ sets $i=i+1$ and $(m_i$, ${\delta }_i$, ${\sigma }_i$, γ, $s_i)=(m^{**}$, ${\delta }^{**}$, ${\sigma }^{**}$, γ, $s^{**})$, which is the new unused (fresh) ticket of the user. Thus, she/he can use the fresh ticket for the next round of communication before the due date, γ.

3.5. The Protocol for Charging Mobile Users

For each mobile user, $MS$, the system operator, H, calculates her/his bill through the following steps on the due date, γ:

• $MS$ returns her/his real identity and unused ticket, $(m^{*},{\delta }^{*},{\sigma }^{*},\gamma ,s^{*})$, to H before the due date.
• H checks that the ticket does not exist in its database and sends the ticket to the judge device.
• The judge device verifies if the ticket is valid via (4) and checks if the γ has expired. If true, it computes $(w,r_j)=D_{s{k}_J}\left({\sigma }^{*}\right)$ and returns the spending value w to H.
• H adds w to the bill of $MS$ and deletes the record which indicates that $MS$ has ever requested a ticket.
• Send the bill to $MS$.

Besides, if the mobile user wants to request a ticket after the due date, γ, she/he should perform the protocol of Section 3.3 again.

Our scheme adopts credit-based charging, i.e. the system charges each mobile user after it has finished a sequence of services for the user, just as the practical situation in the real world. It is different from the others which provided approaches of debit-based charging, i.e. each mobile user has to purchase payment token(s) before she/he starts accessing the services provided by the system [6,12]. What are the differences between charging mobile users in advance and charging them after the services? The followings are the reasons why we design our scheme to charge mobile users via a credit-based way.

• Adaptability. In current GSM services, almost all of the systems adopt credit-based ways to charge users.
• Reducing the relations between any two rounds of communication with one token only. There are two possible ways to charge a mobile user in advance (debit-based ways), which are described as follows:

  (a)

  The mobile user purchases a set of payment tokens from the system previously where each of the tokens is with a unit of value. In each round of communication, the mobile user sends a proper number of tokens to the system for payment. In this case, it is difficult for the system to derive the relation between any two rounds of communication since the tokens are independent one another. However, this will consume much storage and communication cost for recording and transmitting these tokens.

  (b)

  The mobile user purchases only one payment token from the system previously where the token is with a specific value w. In the following round of communication, the mobile user sends the token to the system for payment and then the system returns a new token with value $(w-w_1)$ if the user consumes $w_1$ value of that token. In this mechanism, the mobile user just needs to store one token. However, this will cause defective privacy. When the system returns one token with value $(w-w_1)$ to the user, the system knows that the user will use the token with value $(w-w_1)$ in the next round. There exists a relation between these two rounds of communication.

  Our scheme allows a user to store one token and greatly reduces the relations between any two rounds of communication from the system’s point of view. All of the users return their unused tickets to the system for charging and thus the system knows the total spending value of every user in the previous time slot. However, it is difficult for the system to trace a specific user by finding out all of her/his spending values from the spending value pool which contains all spending values of all users in the previous time slot. This is the subset sum problem, shown below, which is NP-Hard [19]. The proposed system makes it computationally infeasible to link any two rounds of communication with the assumption of large subset sizes.
  Definition 1. Given a vector over integers $A=(a_1,a_2,\cdots ,a_n)$ and a positive integer s, called the sum, compute a solution vector $X=(x_1,x_2,\cdots ,x_n)$ where $x_i\in \{0,1\}$ such that $AX=a_1{x}_1+a_2{x}_2+\cdots +a_n{x}_n=s$.
  The integer s can be regarded as the total spending value of a mobile user and the vector A contains all spending values in the spending value pool.
• Free from the problem of overspending. In debit-based charging methods (both of the above two ways (a) and (b)), when a mobile user shows her/his token(s) to the system for communicating, her/his communication will be terminated if the tokens or the token’s value are used up. It will cause inconvenience for the mobile user. If the system does not terminate the communication, the mobile user will overspend the token(s) and the system must perform extra procedures to deal with the situation. In our scheme, based on a credit-based method, the above problem can be avoided.

3.6. The Protocol for Privacy Revoking

In some situations, H or the judge needs to disclose the identity of an anonymous mobile user. For example, some user commits a crime; the police want to trace some criminals; or some mobile users who do something harmful for H. Our scheme supports two ways to trace illegal anonymous mobile users.

• Tracing the mobile user by a designated ticket: Once an anonymous user imposes on anonymity to commit a crime, her/his ticket will be reported to the judge. Assume that the ticket is $(m^{\prime },{\delta }^{\prime },{\sigma }^{\prime },{\gamma }^{\prime },s^{\prime })$. The judge will extract ${\delta }^{\prime }$ from the ticket and parse $D_{p{k}_J}\left({\delta }^{\prime }\right)$ to get $I{D}_{MS}$.
• Tracing the tickets by a designated mobile user: If the police want to trace a criminal (whose real identity is $I{D}_{MS}$) in the time slot $P_i$, the police can send $(I{D}_{MS},{\gamma }_{i+1})$ to H and ask H and the judge to disclose the privacy of the criminal. In this case, H will retrieve ξ from its stored records according to $(I{D}_{MS},{\gamma }_{i+1})$ and send ξ to the judge. After decrypting ξ and obtaining $r_z$, the judge computes

  $$\left\{\begin{array}{c}{\delta }_1=E_{p{k}_J}(I{D}_{MS},F_1^1\left(r_z\right))\hfill \\ {\delta }_2=E_{p{k}_J}(I{D}_{MS},F_1^2\left(r_z\right))\hfill \\ {\delta }_3=E_{p{k}_J}(I{D}_{MS},F_1^3\left(r_z\right))\hfill \\ ⋮\hfill \\ {\delta }_i=E_{p{k}_J}(I{D}_{MS},F_1^i\left(r_z\right))\hfill \end{array}\right.$$

  (6)

  Then, it sends $\{{\delta }_1,{\delta }_2,{\delta }_3,\cdots ,{\delta }_i\}$ to H, and H can help the police to trace the mobile user in time slot $P_i$ via the above set. In our scheme, the mobile user takes the anonymous ticket containing ${\delta }_1$ for her/his first round of communication, the ticket containing ${\delta }_2$ for the second round, and so forth. According to this order, H can trace the communication activities of the criminal from the first round to the ith round via {${\delta }_1,{\delta }_2,{\delta }_3,\cdots ,{\delta }_i$}.

3.7. Exceptions

In addition to the above issues, there are three exceptions that may happen in our scheme. One is that the mobile user denies returning her/his ticket for billing on the due date. Another is that the mobile user lost her/his ticket (or lost her/his mobile device), and the other one is that the mobile user’s communication is terminated abnormally.

• The mobile user denies returning her/his ticket for billing on the due date: After the due date γ, if there is any mobile user who has not returned her/his unused ticket yet, H will send a list $\mathcal{L}$ to the judge where $\mathcal{L}$ contains the identities of the mobile users who did not return their unused tickets. According to $\mathcal{L}$, the judge sends a payment notification to each mobile user on $\mathcal{L}$ and announces another due date ${\gamma }^{{}^{\prime }}$. If a mobile user, say $I{D}_{MS}$, has not returned her/his unused ticket on the new due date ${\gamma }^{{}^{\prime }}$, the judge will compute the set $\{{\delta }_1$, ${\delta }_2$, ${\delta }_3$, $\cdots \}$ according to $I{D}_{MS}$ via Equation (6) and then sends it to H. Let $T_i$ denote the ith ticket, i.e., the ticket containing ${\delta }_i$. Assume that the mobile user denied returning $T_{i+1}$. H can find $(T_i,w^{\prime })$ from its database via ${\delta }_i$. When H finds $(T_i,w^{\prime })$, the judge can help H with extracting the spending value $w^{*}$ from $T_i$, and then H computes $w^{″}=w^{*}+w^{\prime }$ and adds $w^{″}$ to the bill of the mobile user $I{D}_{MS}$.
• The mobile user lost her/his ticket: When a mobile user, say $I{D}_{MS}$, lost her/his unused ticket $T_i$, she/he must ask H to freeze her/his unused ticket or it may be used by a malicious user. After an authorization process, for example, the mobile user signs a document to show that she/he agrees H to ask the judge to compute $\{{\delta }_1,{\delta }_2,\cdots \}$ where the mobile user authorizes H to reveal her/his privacy, H sends $(I{D}_{MS},\xi )$ to the judge to compute $\{{\delta }_1,{\delta }_2,{\delta }_3,\cdots \}$ by Equation (6). Assume that the mobile user lost $T_i$. H must deny the services for $T_i,T_{i+1},T_{i+2},\cdots$ by ${\delta }_i,{\delta }_{i+1},{\delta }_{i+2},\cdots$, respectively, where $i\in \mathbb{N}$. Besides, H finds $(T_{i-1},w^{\prime })$ from its database via ${\delta }_{i-1}$ and sends $T_{i-1}$ to the judge to extract the accumulated spending value $w^{*}$ from $T_{i-1}$. After the judge returns $w^{*}$ to H, H adds $(w^{*}+w^{\prime })$ to the bill of the mobile user.
  In order to handle this exception, the privacy of $T_1,T_2,T_3,\cdots ,T_{i-1}$ of the mobile user will be revealed. However, if the mobile user remembered how many tickets she/he has used, she/he can still preserve her/his privacy. For example, a mobile user lost her/his unused ticket, and she/he remembers that she/he has consumed 4 tickets. Then the judge just needs to compute $\{{\delta }_4,{\delta }_5,{\delta }_6,\cdots \}$ for H, and {${\delta }_1,{\delta }_2,{\delta }_3\}$ are still kept secret for the mobile user. H will check if ${\delta }_j^{\prime }$ exists in its database where $j^{\prime }=\{4,5,6,\cdots \}$. If ${\delta }_{j^{\prime }}$ exists in its database and ${\delta }_{j^{\prime }+1}$ does not, H will retrieve $(T_{j^{\prime }},w^{\prime })$, which will be used for charging the mobile user, from the database via ${\delta }_{j^{\prime }}$. After the mobile user freezes her/his lost ticket, she/he can perform the protocol in Section 3.3 again to request a new ticket.
• The communication is terminated abnormally: Consider the case that the communication of Step 5 in Section 3.4 is abnormally terminated, i.e., the mobile user does not receive a renewed ticket. We assume that each time when the mobile user receives $(t,\rho )$ successfully, she/he will return an $ACK$ to H. Once H does not receive $ACK$, it will store $(t,\rho )$ and $(m^{*},{\delta }^{*},{\sigma }^{*},\gamma ,s^{*})$ into an unsuccessful communication record. Thus, the mobile user can retransmit $(m^{*},{\delta }^{*},{\sigma }^{*},\gamma ,s^{*})$ to H, and H can re-send $(t,\rho )$ to the mobile user.
  Even though the mobile user lost all information in the abnormal termination, i.e., the mobile user cannot unblind t and decrypt ρ when H retransmits them to her/him, she/he can notify H that she/he lost her/his ticket and then go back to the protocol of requesting an anonymous ticket (Section 3.3) to request a new one. In such a case, H can still correctly charge the mobile user and the mobile user can still use the new ticket for the following communications.

4. Security Proofs

4.1. Security Requirements

• Unlinkability: No one except the judge can trace a user when she/he is using her/his ticket for roaming the mobile networks.
• Ticket Unforgeability: None can forge a ticket without performing the requesting ticket protocol of Section 3.3 with the system.
• Tamper Resistance: The triple $(\delta ,\sigma ,\gamma )$ in a ticket cannot be modified.
• Ticket Swindling Resistance: Anyone else cannot consume an eavesdropped ticket for communication services where the ticket is owned by some user.
• Mutual Authentication: Neither a mobile user without a valid ticket nor an illegal system can pass the authentication.
• Secure Authenticated Key Exchange: After mutual authentication, a mobile user and V can share a common session key unknown to any eavesdropper.

4.2. Unlinkability

In our scheme, a mobile user gets an initial anonymous ticket by running the requesting ticket protocol in Section 3.3 and obtains a renewed one when running the using ticket protocol in Section 3.4. In either Section 3.3 or Section 3.4, the mobile user performs the similar operations to get an anonymous ticket. Here, we define a game as follows.

Definition 2. 

Let k be a security parameter, $M{S}_0$ and $M{S}_1$ be two honest mobile users, and $\mathcal{J}$ be the judge. The game is shown below.

Step 1. 

According to our proposed scheme, H sets up the system parameters which contain H’s public key $(e_H,n_H)$, secret key $(d_H,p_H,q_H)$, and hash functions $(F_1,F_2,F_3)$. $\mathcal{J}$ generates its key pair $(p{k}_J,s{k}_J)$.

Step 2. 

H generates and outputs two messages $m_0$ and $m_1$.

Step 3. 

Randomly pick a bit $b\in \{0,1\}$ and place $m_b$ and $m_{1-b}$ on the private input tapes of $M{S}_0$ and $M{S}_1$, respectively. The bit b will not be revealed to H.

Step 4. 

H performs the protocol (Section 3.3 or Section 3.4) of our scheme with $M{S}_0$ and $M{S}_1$, respectively, to issue blinded tickets to them.

Step 5. 

If $M{S}_0$ and $M{S}_1$ output two tickets which are $(m_b,{\delta }_b,{\sigma }_b,{\gamma }_b,s_b)$ and $(m_{1-b},{\delta }_{1-b},{\sigma }_{1-b},{\gamma }_{1-b},s_{1-b})$ on their private tapes, respectively, give the two 5-tuples in a random order to H; Otherwise, ⊥ is given to H.

Step 6. 

H outputs $b^{\prime }\in \{0,1\}$ as the guess of b. H wins the game if $b=b^{\prime }$. Define the advantage of H as

$$Ad{v}_H^{Linkability}\left(k\right)=|2P[b^{\prime }=b]-1|$$

where $P[b^{\prime }=b]$ denotes the probability of $b^{\prime }=b$.

Definition 3 (Unlinkability). 

In our scheme, the protocols in Section 3.3 and Section 3.4 satisfy the unlinkability property if the advantage $Ad{v}_H^{Linkability}\left(k\right)$ in the game of Definition 2 is negligible.

Theorem 1. 

If $E_{p{k}_J}$ and $E_k$ are two semantic secure encryption functions, our proposed protocols in Section 3.3 and Section 3.4 satisfy the unlinkability property.

Proof. 

In Step 5 of Definition 2, if H is given ⊥, it will determine b with probability $\frac{1}{2}$ which is exactly the same as a random guess of b.

We assume that H gets $(m_b,{\delta }_b,{\sigma }_b,{\gamma }_b,s_b)$ and $(m_{1-b}$,${\delta }_{1-b}$,${\sigma }_{1-b}$,${\gamma }_{1-b}$,$s_{1-b})$. Let $({\alpha }_i,{\theta }_i,{\gamma }_i,{\mu }_i,{\beta }_i,{\rho }_i,{\xi }_i,t_i)$ and $({\alpha }_i,{\theta }_{1_i},T_i,m_i^{*},w_i^{\prime },{\beta }_i,{\rho }_i,t_i)$ be the view of H to the protocol of Section 3.3 and the protocol of Section 3.4, respectively, where $i\in \{0,1\}$ and ${\gamma }_0={\gamma }_1$.

Consider $({\theta }_i,{\gamma }_i,{\mu }_i,{\rho }_i,{\xi }_i)$ in Section 3.3 where ${\theta }_i=E_{p{k}_J}(k_i,I{D}_{M{S}_i})$, ${\mu }_i=I{D}_{M{S}_i}$, ${\rho }_i=E_{k_i}({\delta }_i,b_i,{\sigma }_i)$, and ${\xi }_i=E_{p{k}_J}\left(r_{z_i}\right)$, $({\theta }_{1_i},T_i=\{F_1\left(m_i^{*}\right),{\delta }_i^{*},{\sigma }_i^{*},{\gamma }_i,s_i^{*}\},m_i^{*},w_i^{\prime },{\rho }_i)$ in Section 3.4 where ${\theta }_{1_i}=E_{p{k}_J}\left(k_i\right)$, ${\rho }_i=E_{k_i}({\delta }_i^{**},b_i,{\sigma }_i^{**})$, and $w_i^{\prime }$ is encrypted in ${\sigma }_i=E_{p{k}_J}((w_i^{*}+w^{\prime }+i),r_{j_i})$, and $({\delta }_i^{*},{\sigma }_i^{*})$ in $T_i$ where ${\delta }_i^{*}=E_{p{k}_J}(I{D}_{M{S}_i},F_1\left({\overline{r}}_{z_i}^{\prime }\right))$ and ${\sigma }_i^{*}=E_{p{k}_J}(({\overline{w}}_i^{*}+{\overline{w}}_i^{\prime }),{\overline{r}}_{j_i}^{\prime })$. Since $E_{p{k}_J}$ and $E_{k_i}$ are semantically secure encryption functions, the information encrypted in the above ciphertexts will not be revealed.

In both Section 3.3 and Section 3.4, $({\alpha }_i,{\beta }_i,t_i)$ can be considered as follows. For $(m$, δ, σ, γ, $s)$ ∈ $\left\{\right(m_0$, ${\delta }_0$, ${\sigma }_0$, ${\gamma }_0$, $s_0)$, $(m_1$, ${\delta }_1$, ${\sigma }_1$, ${\gamma }_1$, $s_1\left)\right\}$ and $({\alpha }_i$, ${\beta }_i$, $t_i)$, $i\in \{0,1\}$, there always exists a pair $(r_i^{\prime },b_i^{\prime })$ such that H can compute $r_i^{\prime }={\left({\alpha }_i{F}_1^2{\left(m\right)}^{-1}\right)}^{d_H}mod{n}_H$ via (1) and $b_i^{\prime }={\left({\beta }_i{F}_2{(\delta ,\sigma ,\gamma )}^{-1}\right)}^{d_H}mod{n}_H$ via (2). Thus, (3) is satisfied owing to $t_i={\left({\alpha }_i{\beta }_i\right)}^{d_H}mod{n}_H$ and $s\equiv {\left(F_1^2\left(m\right)F_2(\delta ,\sigma ,\gamma )\right)}^{d_H}(mod{n}_H)$.

From the above, given any $(m$, δ, σ, γ, $s)$ ∈ $\left\{\right(m_0$, ${\delta }_0$, ${\sigma }_0$, ${\gamma }_0$, $s_0)$, $(m_1$, ${\delta }_1$, ${\sigma }_1$, ${\gamma }_1$, $s_1\left)\right\}$ and $({\alpha }_i$, ${\beta }_i$, $t_i)$, $i\in \{0,1\}$, there always exists a corresponding pair $(r_i^{\prime },b_i^{\prime })$ such that Equations (1)–(3) are satisfied.

Hence, considering Step 6 of the game, H successes in determining b with probability $\frac{1}{2}$. We have that $P[b^{\prime }=b]=\frac{1}{2}$ and $Ad{v}_H^{Linkability}\left(k\right)=0$. Therefore, the proposed scheme satisfies the unlinkability property. ☐

4.3. Ticket Unforgeability

In 2003, Bellare et al. introduced a problem called the RSA Chosen Target Inversion (RSA-CTI) Problem [20]. Then they proved that the Full Domain Hash RSA (FDH-RSA) blind signature is unforgeable as long as the RSA-CTI problem is hard. In this section, we will show that the ticket requesting protocol of Section 3.3 and the ticket using protocol of Section 3.4 satisfy unforgeability as long as the FDH-RSA blind signature is with unforgeability.

Theorem 2. 

If an attacker $\mathcal{A}$ can forge an unused ticket in the proposed scheme (Section 3.3 or Section 3.4) with probability at least ${ϵ}_{\mathcal{A}}$ in time $t_{\mathcal{A}}$, there exists a forger $\mathcal{F}$ that can break the unforgeability of the FDH-RSA blind signature with probability at least ${ϵ}^{\prime }$ in time $t^{\prime }$ such that

$$\left\{\begin{array}{c}{ϵ}^{\prime }\ge {ϵ}_{\mathcal{A}}\hfill \\ t^{\prime }\approx t_{\mathcal{A}}+q_{\mathcal{F}}{t}_{\mathcal{F}}+2q_{\mathcal{F}}{t}_{S_D}\hfill \end{array}\right.$$

(7)

where $q_{\mathcal{F}}$ is the number of queries $\mathcal{A}$ makes to $\mathcal{F}$, $t_{\mathcal{F}}$ is the time for $\mathcal{F}$ to deal with a query, and $t_{S_D}$ is the time for the FDH-RSA blind signing oracle to process a signing query.

Proof. 

The model of this proof is shown as Figure 6. Let $S_D$ be the FDH-RSA blind signing oracle. The public key of $S_D$ is $(e_H,n_H)$. First, $\mathcal{F}$ initializes the environment by generating the public/private key pair $(p{k}_J,s{k}_J)$ of the judge and selecting three hash functions $(F_1,F_2,F_3)$. Then $\mathcal{F}$ publishes $(p{k}_J,e_H,n_H,F_1,F_2,F_3)$. $\mathcal{F}$ utilizes $(e_H,n_H)$ as the public key of H of the system. $\mathcal{F}$ will simulate the system such that $\mathcal{A}$ can query $\mathcal{F}$ to get tickets. If $\mathcal{A}$ can output $q_{\mathcal{F}}+1$ tickets after querying $\mathcal{F}{q}_{\mathcal{F}}$ times, we can succeed in one-more forgery to break the unforgeability of the FDH-RSA blind signature scheme. Here, we just show how to simulate the ticket requesting protocol of Section 3.3. The simulation of the ticket using protocol in Section 3.4 is similar to that of the protocol in Section 3.3.

When $\mathcal{A}$ submits a query $({\alpha }_i,{\theta }_i)$ to $\mathcal{F}$, $\mathcal{F}$ will return $(t_i,{\rho }_i,{\gamma }_i)$ to $\mathcal{A}$. $\mathcal{F}$ is depicted in Figure 7. Finally, $\mathcal{A}$ outputs $q_{\mathcal{F}}+1$ tickets $(s_i,m_i,{\delta }_i,{\sigma }_i,{\gamma }_i)$ where $m_i\ne m_{i^{\prime }}$, ${\delta }_i\ne {\delta }_{i^{\prime }}$, ${\sigma }_i\ne {\sigma }_{i^{\prime }}$, and $1\le i\ne i^{\prime }\le q_{\mathcal{F}}+1$. The outputted tickets can be categorized into two subsets $S_T$ and $S_{T^{\prime }}$ where $|S_T|=q_1$ and $|S_{T^{\prime }}|=q_2$. For each ticket $(s_j,m_j,{\delta }_j,{\sigma }_j,{\gamma }_j)$ in $S_T$, $({\delta }_j,{\sigma }_j)$ is in L where $1\le j\le q_1$, i.e., the tickets in $S_T$ are queried from $\mathcal{F}$. On the other hand, each ticket in $S_{T^{\prime }}$ is forged by $\mathcal{A}$. We say that $\mathcal{A}$ successfully breaks our scheme if (1) $q_1+q_2=q_{\mathcal{F}}+1$; (2) $q_1\in [0,q_{\mathcal{F}}]$; and (3) $q_2\in [1,q_{\mathcal{F}}+1]$. In the followings, we will show that we can obtain $(q_{\mathcal{F}}+q_1+2q_2)$ signatures by querying $S_D(2q_{\mathcal{F}}+q_2)$ times where $(q_{\mathcal{F}}+q_1+2q_2)-(2q_{\mathcal{F}}+q_2)=q_1+q_2-q_{\mathcal{F}}=1$.

First, according to the above simulation, we can get $q_{\mathcal{F}}$ signatures $(s_{{\beta }_i},{\delta }_i,{\sigma }_i,{\gamma }_i)$’s retrieved from L where $\mathcal{F}$ computed $s_{{\beta }_i}={\left(b_i\right)}^{-1}{t}_{{\beta }_i}mod{n}_H$ and $s_{{\beta }_i}^{e_H}\equiv F_2({\delta }_i,{\sigma }_i,{\gamma }_i)(mod{n}_H)$ with $1\le i\le q_{\mathcal{F}}$ during the simulation. For the tickets $(s_j,m_j,{\delta }_j,{\sigma }_j,{\gamma }_j)$’s in $S_T$, we can obtain $q_1$ signatures $(s_{{\alpha }_j},F_1\left(m_j\right))$ by retrieving $s_{{\beta }_j}$ from L via $({\delta }_j,{\sigma }_j)$ and then computing $s_{{\alpha }_j}=s_j{\left(s_{{\beta }_j}\right)}^{-1}mod{n}_H$ where $s_{{\alpha }_j}^{e_H}\equiv F_1^2\left(m_j\right)(mod{n}_H)$ with $1\le j\le q_1$. For the tickets $(s_{j^{\prime }},m_{j^{\prime }},{\delta }_{j^{\prime }},{\sigma }_{j^{\prime }},{\gamma }_{j^{\prime }})$’s in $S_{T^{\prime }}$, we can get $q_2$ signatures $({\widehat{s}}_{{\alpha }_{j^{\prime }}},F_1\left(m_{j^{\prime }}\right))$’s and $q_2$ signatures $({\widehat{s}}_{{\beta }_{j^{\prime }}},{\delta }_{j^{\prime }},{\sigma }_{j^{\prime }},{\gamma }_{j^{\prime }})$’s by the following procedure where $1\le j^{\prime }\le q_2$. We first randomly select ${\widehat{b}}_{j^{\prime }}\in {\{0,1\}}^{l_r}$ and compute ${\widehat{\beta }}_{j^{\prime }}={\widehat{b}}_{j^{\prime }}^{e_H}{F}_2({\delta }_{j^{\prime }},{\sigma }_{j^{\prime }},{\gamma }_{j^{\prime }})mod{n}_H$. Then we send ${\widehat{\beta }}_{j^{\prime }}$ to $S_D$ and obtains ${\widehat{t}}_{{\beta }_{j^{\prime }}}$. Finally, we compute ${\widehat{s}}_{{\beta }_{j^{\prime }}}={\widehat{t}}_{{\beta }_{j^{\prime }}}{\left({\widehat{b}}_{j^{\prime }}\right)}^{-1}mod{n}_H$ and ${\widehat{s}}_{{\alpha }_{j^{\prime }}}=s_{j^{\prime }}{\left({\widehat{s}}_{{\beta }_{j^{\prime }}}\right)}^{-1}mod{n}_H$ where ${\widehat{s}}_{{\alpha }_{j^{\prime }}}^{e_H}\equiv F_1^2\left(m_{j^{\prime }}\right)(mod{n}_H)$ and ${\widehat{s}}_{{\beta }_{j^{\prime }}}^{e_H}\equiv F_2({\delta }_{j^{\prime }},{\sigma }_{j^{\prime }},{\gamma }_{j^{\prime }})(mod{n}_H)$ for each $j^{\prime }$ with $1\le j^{\prime }\le q_2$. Consequently, we query $S_D(2q_{\mathcal{F}}+q_2)$ times and obtain $(q_{\mathcal{F}}+q_1+2q_2)$ signatures. We succeed in one-more forgery to break the FDH-RSA blind signature scheme.

☐

4.4. Tamper Resistance

In our scheme, the information $(\delta ,\sigma ,\gamma )$ of a ticket is used for anonymity control, charging, and recording the due date of the ticket, respectively. In this subsection, we will show that none can tamper $(\delta ,\sigma ,\gamma )$ of a ticket. First, we introduce a problem called the alternative formulation of RSA Known-Target Inversion (RSA-AKTI) Problem [20] which has been proved being hard by Bellare et al.

Definition 4 (RSA AKTI). 

Let $k\in \mathbb{N}$ be the security parameter. Let $\mathcal{A}$ be an adversary which can access the RSA-inversion oracle ${\mathcal{O}}_{inv}$ and the challenge oracle ${\mathcal{O}}_N$. The challenge oracle ${\mathcal{O}}_N$ will randomly return $y_i\in {\mathbb{Z}}_{n_H}^{*}$ when it is queried. Consider the following experiment:

$$\begin{array}{c}Experiment Ex{p}_{\mathcal{A}}^{RSA-AKTI}\left(k\right)\hfill \\ -(n_H,e_H,d_H)\leftarrow KeyGen\left(k\right).\hfill \\ -(x_1,\cdots ,x_m)\leftarrow A^{{\mathcal{O}}_{inv},{\mathcal{O}}_N}(n_H,e_H,k) where m is the\hfill \\ number of queries to {\mathcal{O}}_N.\hfill \\ -Let y_1,\cdots ,y_m be the challenges returned by {\mathcal{O}}_N.\hfill \\ If the followings are both true, return 1; else return 0.\hfill \\ 1.\forall i\in \{1,\cdots ,m\}:x_i^{e_H}\equiv y_i(mod{n}_H).\hfill \\ 2.\mathcal{A} made strictly fewer than m queries to {\mathcal{O}}_{inv}.\hfill \end{array}$$

In the ticket requesting protocol (Section 3.3) and the ticket using protocol (Section 3.4), if λ tickets are requested, the system side (the judge device) will generate $({\delta }_i,{\sigma }_i,{\gamma }_i)$ for each ticket where $1\le i\le \lambda$. Here, we define ticket tampering below.

Definition 5 (Ticket Tampering).

There exists an attacker ${\mathcal{A}}_{TR}$ who runs the ticket requesting protocol in Section 3.3 or the ticket using protocol in Section 3.4 λ times. Let $S_{\mathcal{A}}=\{({\delta }_1,{\sigma }_1,{\gamma }_1)$, ⋯, $({\delta }_{\lambda },{\sigma }_{\lambda },{\gamma }_{\lambda })\}$ where $({\delta }_i,{\sigma }_i,{\gamma }_i)$ is generated for ${\mathcal{A}}_{TR}$ and thus ${\delta }_i$ contains ${\mathcal{A}}_{TS}$’s identity and ${\sigma }_i$ contains an accumulated value which ${\mathcal{A}}_{TR}$ spent for $i=1,\cdots ,\lambda$. ${\mathcal{A}}_{TR}$ can output a tampered ticket $(s,m,{\delta }^{\prime },{\sigma }^{\prime },{\gamma }^{\prime })$ where $({\delta }^{\prime },{\sigma }^{\prime },{\gamma }^{\prime })\notin S_{\mathcal{A}}$.

Theorem 3. 

The proposed scheme is secure against Ticket Tampering if the RSA-AKTI problem is hard.

Proof. 

The model of this proof is shown in Figure 8. There exist a simulator $\mathcal{S}$ and an attacker ${\mathcal{A}}_{\mathcal{TR}}$ in this model. $\mathcal{S}$ will simulate the environment of our proposed scheme in the random oracle model. $\mathcal{S}$ engages in the proposed scheme to generate the key pair $(p{k}_J,s{k}_J)$ of the judge and creates two oracles ${\mathcal{O}}_{F_1}$ and ${\mathcal{O}}_{F_2}$. $\mathcal{S}$ can query the oracles ${\mathcal{O}}_N$ and ${\mathcal{O}}_{inv}$ defined in Definition 4. ${\mathcal{A}}_{TR}$ will query ${\mathcal{O}}_{F_1}$ and ${\mathcal{O}}_{F_2}$ for the hashed values of the hash functions $F_1$ and $F_2$, respectively. There are two lists $L_{F_1}$ and $L_{F_2}$. $L_{F_1}$ will be used to store $(m,\tau )$ where $F_1\left(m\right)={\tau }^{e_H}mod{n}_H$ and $L_{F_2}$ will be used to record $(\delta ,\sigma ,\gamma ,\pi )$ where $F_2(\delta ,\sigma ,\gamma )=\pi$. ${\mathcal{A}}_{TR}$ can query $\mathcal{S}$ at most ${\lambda }_1$ times, ${\mathcal{O}}_{F_1}$ at most ${\lambda }_2$ times, and ${\mathcal{O}}_{F_2}$ at most ${\lambda }_3$ times. $\mathcal{S}$, ${\mathcal{O}}_{F_1}$, and ${\mathcal{O}}_{F_2}$ are described in Figure 9. Before ${\mathcal{A}}_{TR}$ queries $\mathcal{S}$, $\mathcal{S}$ initializes the environment by publishing $(n_H,e_H,p{k}_J)$, setting $i_{guess}=0$, and guessing a number ${\lambda }^{\prime }$ where $1\le {\lambda }^{\prime }\le {\lambda }_3$. $\mathcal{S}$ guesses that ${\mathcal{A}}_{TR}$ will successfully output a tampered ticket as $(s,m,\delta ,\sigma ,\gamma )$ such that 3-tuple $(\delta ,\sigma ,\gamma )$ is not produced by $\mathcal{S}$, i.e., $(\delta ,\sigma ,\gamma )\notin ({\delta }_i,{\sigma }_i,{\gamma }_i)$ for each i with $1\le i\le {\lambda }_1$, where the value of $F_2(\delta ,\sigma ,\gamma )$ is obtained from ${\mathcal{O}}_{F_2}$ at the ${\lambda }^{\prime }$th query to ${\mathcal{O}}_{F_2}$.

As shown in Figure 9, when ${\mathcal{A}}_{TR}$ submits a query $({\alpha }_i,{\theta }_i)$ to $\mathcal{S}$, $\mathcal{S}$ will send ${\alpha }_i{\beta }_i\equiv b_i^{e_H}{c}_i(mod{n}_H)$ to ${\mathcal{O}}_{inv}$ and get $x_i\equiv c_i^{d_H}\equiv t_i{b}_i^{-1}(mod{n}_H)$ where $1\le i\le {\lambda }_1$. $\mathcal{S}$ stores $(x_i,c_i)$’s in a list L. If ${\mathcal{A}}_{TR}$ successfully outputs a tampered ticket $(s,m,\delta ,\sigma ,\gamma )$ after ${\lambda }_1$ queries to $\mathcal{S}$ with probability at least ${ϵ}_{TR}$, we can obtain $x_{{\lambda }_1+1}\equiv {\left(c^{\prime }\right)}^{d_H}(mod{n}_H)$ with probability at least ${ϵ}_{TR}^{\prime }\ge \frac{{ϵ}_{TR}}{{\lambda }_3}$ by the following procedure.

• Search $L_{F_1}$ by m and get entry $(m,{\tau }^{\prime })$.
• Search $L_{F_1}$ by ${\left({\tau }^{\prime }\right)}^{e_H}mod{n}_H$ and get entry $({\left({\tau }^{\prime }\right)}^{e_H}mod{n}_H,\tau )$ where $F_1^2\left(m\right)={\tau }^{e_H}mod{n}_H$, i.e., $\tau ={\left(F_1^2\left(m\right)\right)}^{d_H}mod{n}_H$.
• Compute $x_{{\lambda }_1+1}=s{\tau }^{-1}mod{n}_H$ and thus $x_{{\lambda }_1+1}\equiv {\left(c^{\prime }\right)}^{d_H}(mod{n}_H)$.

Consequently, $\mathcal{S}$ queries ${\mathcal{O}}_N({\lambda }_1+1)$ times, and ${\mathcal{O}}_{inv}$ ${\lambda }_1$ times, and then we can obtain $(x_1,\cdots ,x_{{\lambda }_1})$ from L and $x_{{\lambda }_1+1}$ such that $x_i^{e_H}\equiv c_i(mod{n}_H)$ and $x_{{\lambda }_1+1}^{e_H}\equiv c^{\prime }(mod{n}_H)$ where $1\le i\le {\lambda }_1$. We successfully solve the RSA-AKTI problem with non-negligible probability at least ${ϵ}_{TR}^{\prime }$.

☐

4.5. Ticket Swindling Resistance

In our scheme, a mobile user has to show $T=(F_1\left(m^{*}\right)$, ${\delta }^{*}$, ${\sigma }^{*}$, γ, $s^{*})$ for authentication. In this subsection, we will prove that none can successfully pass authentication via an eavesdropped T. We call this Ticket Swindling Resistance. In order to prove this, we first introduce the communication model and some definitions as follows.

The Communication Model. We briefly describe the communication model [21,22] of our distributed environment. Oracle ${\Pi }_{M{S}_i,V_j}^u$ models that a mobile user $M{S}_i$ performs the anonymous authentication protocol of Section 3.4 with the entity $V_j$ in the uth session of $M{S}_i$. Oracle ${\Pi }_{V_j,M{S}_i}^v$ models that a system entity $V_j$ performs the protocol with the mobile user $M{S}_i$ in the vth session of $V_j$. An adversary E is a probabilistic polynomial-time Turing machine that is allowed to make the following queries.

• $Execute({\Pi }_{M{S}_i,V_j}^u$, ${\Pi }_{V_j,M{S}_i}^v)$: This query models all kinds of passive attacks. $M{S}_i$ and $V_j$ will carry out the protocol of Section 3.4 and the adversary E can eavesdrop all messages transmitted between $M{S}_i$ and $V_j$.
• $Send({\Pi }_{M{S}_i,V_j}^u$, $\mathcal{M})$ or $Send({\Pi }_{V_j,M{S}_i}^v$, $\mathcal{M})$: This query models all kinds of active attacks. The adversary E can send any message $\mathcal{M}$ to ${\Pi }_{M{S}_i,V_j}^u$ or ${\Pi }_{V_j,M{S}_i}^v$ which will give responses to E according to the protocol of Section 3.4. E can make the query $Send({\Pi }_{M{S}_i,V_j}^u$, $\mathcal{N})$ to get a response of the first flow where $\mathcal{N}$ is an empty string.
• $Reveal\left({\Pi }_{M{S}_i,V_j}^u\right)$ or $Reveal\left({\Pi }_{V_j,M{S}_i}^v\right)$: This query allows the adversary to get the session key of ${\Pi }_{M{S}_i,V_j}^u$ or ${\Pi }_{V_j,M{S}_i}^v$ after ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$ have successfully finished mutual authentication and established a common session key.
• $Reveal\left(T\right)$: This query allows the adversary to obtain the secret value m if T has been successfully consumed for authentication where $T=(F_1\left(m\right)$, δ, σ, γ, $s)$.
• $Corrupt\left(V_j\right)$: This query reveals $V_j$’s long-term key $s{k}_{V_j}$.

In our protocol, once a mobile user consumes her/his T for authentication, T will be kept in the system’s database for double-using checking. Hence, a successfully-used T cannot be consumed again by any eavesdropper. Any attacker can just try to swindle an eavesdropped T which has not been successfully used, i.e., the attacker has to interfere the authentication process after she/he obtains T in the first flow of the authentication protocol in Section 3.4. We define Ticket Swindling below.

Definition 6 (The Ticket Swindling Game). 

Let $k\in \mathbb{N}$ be the security parameter. ${\mathcal{A}}_{TS}$ is a polynomial time adversary who tries to swindle an eavesdropped T. Consider the following experiment:

$$\begin{array}{c}Experiment Ex{p}_{{\mathcal{A}}_{TS}}^{TS}\left(k\right)\hfill \\ -(n_H,e_H,F_1,F_2,F_3,p{k}_J,p{k}_V)\leftarrow Setup\left(k\right)\hfill \\ -{\mathcal{A}}_{TS}^{Execute,Send,Reveal,Corrupt}(n_H,e_H,F_1,F_2,F_3,p{k}_J,p{k}_V)\hfill \\ If the followings are true return 1 else return 0\hfill \\ 1.{\mathcal{A}}_{TS} makes Send({\Pi }_{V_j,M{S}_i}^v,(\alpha ,{\theta }_1,T,{\theta }_2)) and\hfill \\ Send({\Pi }_{V_j,M{S}_i}^v,r_5) queries and then {\Pi }_{V_j,M{S}_i}^v accepts.\hfill \\ 2.T is outputted from {\Pi }_{M{S}_i,V_j}^u\hfill \\ 3.r_5 has never been outputted by {\Pi }_{M{S}_i,V_j}^u\hfill \\ 4.{\mathcal{A}}_{TS} has never made Reveal\left(T\right) and Corrupt\left(V_j\right)queries\hfill \end{array}$$

The advantage of ${\mathcal{A}}_{TS}$ is $Ad{v}_{{\mathcal{A}}_{TS}}^{TS}\left(k\right)=Pr[Ex{p}_{{\mathcal{A}}_{TS}}^{TS}\left(k\right)=1]$. We say that our scheme satisfies Ticket Swindling Resistance if $Ad{v}_{{\mathcal{A}}_{TS}}^{TS}\left(k\right)$ is negligible.

Besides, we define the following Indistinguishability Game under the Chosen-Ciphertext Attack (IND-CCA) based on [23].

Definition 7 (IND-CCA). 

Let $k\in \mathbb{N}$ be the security parameter. $\mathcal{C}$ is a challenger and $\mathcal{F}$ is a polynomial time adversary. $\mathcal{P}$ is an asymmetric cryptosystem with semantic security where the public-private key pair is $(pk,sk)$. There are two oracles ${\mathcal{O}}_E$ and ${\mathcal{O}}_D$. $\mathcal{F}$ can query ${\mathcal{O}}_E$ to encrypt a plaintext by $pk$ and query ${\mathcal{O}}_D$ to decrypt a ciphertext by $sk$. Consider the following experiment:

$$\begin{array}{c}Experiment Ex{p}_{\mathcal{F}}^{IND-CCA}\left(k\right)\hfill \\ -(pk,sk)\leftarrow Setup\left(k\right)\hfill \\ -(M_0,M_1)\leftarrow {\mathcal{F}}^{{\mathcal{O}}_E,{\mathcal{O}}_D}\hfill \\ -E_{pk}\left(M_b\right)\stackrel{b{\in }_R\{0,1\}}{\leftarrow }\mathcal{C}(M_0,M_1)\hfill \\ -b^{\prime }\leftarrow {\mathcal{F}}^{{\mathcal{O}}_E,{\mathcal{O}}_D}\left(E_{pk}\left(M_b\right)\right)\hfill \\ If the followings are both true return 1 else return 0\hfill \\ 1.\mathcal{F} never submits the query E_{pk}\left(M_b\right)to {\mathcal{O}}_D\hfill \\ 2.b^{\prime }=b\hfill \end{array}$$

We define the advantage of $\mathcal{F}$ is $Ad{v}_{\mathcal{F}}^{IND-CCA}\left(k\right)=|Pr[Ex{p}_{\mathcal{F}}^{IND-CCA}\left(k\right)=1]-\frac{1}{2}|$.

We also introduce the RSA Single-Target Inversion Problem (RSA-STI) [20] as follows.

Definition 8 (RSA-STI). 

Let $k\in \mathbb{N}$ be the security parameter. Let $\mathcal{A}$ be a polynomial time adversary. Consider the following experiment:

$$\begin{array}{c}Experiment Ex{p}_{\mathcal{A}}^{RSA-STI}\left(k\right)\hfill \\ -(N,e,d)\stackrel{R}{\leftarrow }KeyGen\left(k\right)\hfill \\ -y\stackrel{R}{\leftarrow }{\mathbb{Z}}_N^{*};x\leftarrow \mathcal{A}(N,e,k,y)\hfill \\ If x^e\equiv y(modN) return 1 else return 0\hfill \end{array}$$

We define the advantage of $\mathcal{A}$ as $Ad{v}_{\mathcal{A}}^{RSA-STI}\left(k\right)=Pr[Ex{p}_{\mathcal{A}}^{RSA-STI}\left(k\right)=1]$.

Theorem 4. 

The proposed anonymous authentication protocol satisfies Ticket Swindling Resistance.

Proof. 

The proof model is illustrated in Figure 10. A simulator ${\mathcal{S}}_{TS}$ will simulate the communication environment and help us to solve the RSA-STI problem. First, ${\mathcal{S}}_{TS}$ obtains the parameters $(N,e,y)$ from the RSA-STI problem. ${\mathcal{S}}_{TS}$ initializes the system parameters, which are the public-private key pairs of H, V’s, and the judge, and constructs the oracles ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$. ${\mathcal{S}}_{TS}$ also controls three hash oracles ${\mathcal{O}}_{F_1}$, ${\mathcal{O}}_{F_2}$, and ${\mathcal{O}}_{F_3}$ to simulate the hash functions $F_1$, $F_2$, and $F_3$, respectively. When ${\mathcal{O}}_{F_1}$ is queried with m, it will return $r_{f_1}$ retrieved from $L_{F_1}$ via m if m exists in $L_{F_1}$ or return $r_{f_1}=(m^{e}modN)$ and records $(m,r_{f_1})$ in $L_{F_1}$. If ${\mathcal{O}}_{F_2}$ is queried with $(\delta ,\sigma ,\gamma )$, it will return $r_{f_2}$ retrieved from $L_{F_2}$ via $(\delta ,\sigma ,\gamma )$ if $(\delta ,\sigma ,\gamma )$ exists in $L_{F_2}$ or return a randomly-selected string $r_{f_2}\in {\{0,1\}}^{l_r}$ and record $(\delta ,\sigma ,\gamma ,r_{f_2})$ in $L_{F_2}$. When ${\mathcal{O}}_{F_3}$ is queried with $\left(r_2\right|\left|r_4\right)$, it will return $r_{f_3}$ retrieved from $L_{F_3}$ if $\left(r_2\right|\left|r_4\right)$ exists in $L_{F_3}$ or a randomly-chosen string $r_{f_3}\in {\{0,1\}}^{l_r}$ and record $\left(\right(r_2\left|\right|r_4),r_{f_3})$ in $L_{F_3}$. There is also an oracle ${\mathcal{O}}_T$ which plays the role of H in the protocol of Section 3.3 (or Section 3.4) to issue tickets. ${\mathcal{O}}_T$ will return $(t,\rho ,\gamma )$ when it is queried with $(\alpha ,\theta )$.

Assume that an attacker ${\mathcal{A}}_{TS}$ performs at most $q_1$ times of $Execute({\Pi }_{M{S}_i,V_j}^u$, ${\Pi }_{V_j,M{S}_i}^v)$ queries, $q_2$ times of $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{N})$ queries, and $q_3$ times of $Send({\Pi }_{V_j,M{S}_i}^v,\mathcal{M})$ queries. ${\mathcal{A}}_{TS}$ can also submit a $Reveal\left(T\right)$ query to get the secret m of T where T must have been consumed for authentication.

${\mathcal{S}}_{TS}$ initializes four global parameters which are $i_{guess}=0$, $s_{guess}=0$, $T_{guess}=\mathcal{N}$, and $r_{guess}=\mathcal{N}$. Then ${\mathcal{S}}_{TS}$ guesses that the attacker ${\mathcal{A}}_{TS}$ will swindle T which is returned from the λth $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{N})$ query. When $Execute({\Pi }_{M{S}_i,V_j}^u$, ${\Pi }_{V_j,M{S}_i}^v)$ is queried, the oracle ${\Pi }_{M{S}_i,V_j}^u$ will run the protocol of Section 3.3 (or Section 3.4) with ${\mathcal{O}}_T$ to get a ticket $(m,\delta ,\sigma ,\gamma ,s)$ and prepares $T=(F_1\left(m\right),\delta ,\sigma ,\gamma ,s)$. Then it takes T to perform the protocol of Section 3.4 with ${\Pi }_{V_j,M{S}_i}^v$ under the presence of ${\mathcal{A}}_{TS}$. When $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{M})$ and $Send({\Pi }_{V_j,M{S}_i}^v,\mathcal{M})$ are queried, ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$ will act according to Figure 11. There are five lists in Figure 11 where $L_{T_{MS}}$ and $L_{T_V}$ are used to record the transcript of ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$, $L_{K_{MS}}$ and $L_{K_V}$ store the session keys of ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$, and $L_{usedT}$ records all used T’s.

In Figure 11, $s_{guess}$ denotes the session u of ${\Pi }_{M{S}_i,V_j}^u$. ${\Pi }_{M{S}_i,V_j}^u$ checks if the current session u is corresponding to the λth $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{N})$ query (line 27 to line 30). If true, it randomly selects $r_5\in {\{0,1\}}^{l_r}$. Here, ${\Pi }_{M{S}_i,V_j}^u$ does not know x and sets $F_3(r_2\left|\right|r_4)=\perp$. The simulation will fail if ${\mathcal{A}}_{TS}$ sends a query $\left(r_2\right|\left|r_4\right)$ to ${\mathcal{O}}_{F_3}$. However, we will show that the probability of the above failure is negligible in Appendix.

In Figure 11, ${\Pi }_{V_j,M{S}_i}^v$ checks if $r_{f_3}$ is equal to ⊥. If true, this means that the current session v matches the λth $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{N})$ query.

After finishing the simulation, ${\mathcal{S}}_{TS}$ can retrieve $(m,T)$ from $L_{usedT}$ via $T_{guess}$. If $m\ne \perp$, ${\mathcal{S}}_{TS}$ has that $T_{guess}=T=(m^{\prime }=y,\delta ,\sigma ,\gamma ,s)$ where $y=F_1\left(m\right)=m^{e}modN$. Thus, ${\mathcal{S}}_{TS}$ solves the RSA-STI problem. Therefore, ${\mathcal{A}}_{TS}$, with non-negligible probability at least ${ϵ}_{TS}$, can consume an eavesdropped T to successfully perform the anonymous authentication protocol of Section 3.4 with ${\Pi }_{V_j,M{S}_i}^v$, $S_{TS}$ can solve the RSA-STI problem with non-negligible advantage at least $\frac{{ϵ}_{TS}}{q_2}$.

☐

4.6. Secure Mutual Authentication

In order to prove the security of mutual authentication in the proposed scheme, we first introduce Matching Conversations and No Matching${}^E\left(k\right)$ [21,22] as follows.

Definition 9 (Matching Conversations). 

Fix a number of flows $R=2\rho -1$ and an R-flow protocol $P=(\Pi ,\mathcal{G})$ where Π specifies how players behave and $\mathcal{G}$ generates key pairs for each entity. Run P in the presence of an adversary E and consider two oracles ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$, that engage in conversations K and $K^{\prime }$ respectively.

• $K^{\prime }$ is a matching conversation to K if there exist ${\tau }_0<{\tau }_1<\cdots <{\tau }_{R-1}$ such that K is prefixed by

  $$({\tau }_0,\mathcal{N},{\alpha }_1),({\tau }_2,{\beta }_1,{\alpha }_2),\cdots ,({\tau }_{2\rho -2},{\beta }_{\rho -1},{\alpha }_{\rho })$$

  and $K^{\prime }$ is prefixed by

  $$({\tau }_1,{\alpha }_1,{\beta }_1),({\tau }_3,{\alpha }_2,{\beta }_2),\cdots ,({\tau }_{2\rho -3},{\alpha }_{\rho -1},{\beta }_{\rho -1})$$
• K is a matching conversation to $K^{\prime }$ if there exist ${\tau }_0<{\tau }_1<\cdots <{\tau }_R$ such that $K^{\prime }$ is prefixed by

  $$({\tau }_1,{\alpha }_1,{\beta }_1),({\tau }_3,{\alpha }_2,{\beta }_2),\cdots ,({\tau }_{2\rho -3},{\alpha }_{\rho -1},{\beta }_{\rho -1}),({\tau }_{2\rho -1},{\alpha }_{\rho },*)$$

  and K is prefixed by

  $$({\tau }_0,\mathcal{N},{\alpha }_1),({\tau }_2,{\beta }_1,{\alpha }_2),\cdots ,({\tau }_{2\rho -2},{\beta }_{\rho -1},{\alpha }_{\rho })$$

Finally, ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$ are said to have had matching conversations if K is a matching conversation to $K^{\prime }$ and $K^{\prime }$ is a matching conversation to K.

Definition 10 (No Matching${}^E\left(k\right)$). 

Let $k\in \mathbb{N}$ be the security parameter. No Matching${}^E\left(k\right)$ is that when protocol P is run against an adversary E, there exists an oracle ${\Pi }_{M{S}_i,V_j}^u$ with $M{S}_i,V_j\notin S_C$ (where $S_C$ denotes the set of entities corrupted by E) which accepted but there is no oracle ${\Pi }_{V_j,M{S}_i}^v$ which has had a matching conversation to ${\Pi }_{M{S}_i,V_j}^u$, or vice versa.

Definition 11. 

A protocol P is a secure mutual authentication protocol if for every polynomial-time adversary E:

• If ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$ have matching conversations, then both oracles accept;
• The probability of No Matching${}^E\left(k\right)$ is negligible.

Theorem 5. 

The protocol of Section 3.4 is a secure mutual authentication protocol.

Proof. 

Our authentication protocol satisfies the first condition of Definition 11, if the the adversary acts as a wire. Hence, we concentrate on the proof for the second condition.

When we carry out the experiment of the communication model against E, E may succeed in the following two cases. Case 1 is that there exists an oracle ${\Pi }_{M{S}_{,}{V}_j}^u$ which accepted, where $M{S}_i,V_j\notin S_C$ and $S_C$ is the set of corrupted entities, but there is no oracle ${\Pi }_{V_j,M{S}_i}^v$ has a matching conversation to ${\Pi }_{M{S}_i,V_j}^u$. Case 2 is that there exists an oracle ${\Pi }_{V_j,M{S}_i}^v$ which accepted but there is no oracle ${\Pi }_{M{S}_{,}{V}_j}^u$ has a matching conversation to ${\Pi }_{V_j,M{S}_i}^v$. Suppose that E has probability ${ϵ}_1$ in Case 1 and ${ϵ}_2$ in Case 2. Thus, we conclude that if No Mathing${}^E\left(k\right)$ is non-negligible, ${ϵ}_1$ or ${ϵ}_2$ must be non-negligible.

In Case 1, E has to make $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{N})$ query at some time ${\tau }_0$ and make $Send({\Pi }_{M{S}_i,V_j}^u,(r_1,r_4))$ query at some time ${\tau }_2>{\tau }_0$. If $(r_1,r_4)$ are valid, the state of ${\Pi }_{M{S}_i,V_j}^u$ will be changed as “accepted”. The proof model of this case is depicted in Figure 12. In the proof model, we will construct a simulator ${\mathcal{S}}_{MA}$ who will simulate the communication environment to E and try to break the IND-CCA defined in Definition 7. Assume that there are $q_1$ entities $M{S}_i$’s and $q_2$ entities $V_j$’s in the communication environment and E will perform $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{N})$ at most $q_3$ times with $i\in \{1,\cdots ,q_1\}$ and $j\in \{1,\cdots ,q_2\}$ where $q_1$, $q_2$, and $q_3$ are polynomials of security parameter k. There also exists an oracle ${\mathcal{O}}_T$ who will play the role of H to run the protocol of Section 3.3 to issue tickets.

In order to set up the communication environment, ${\mathcal{S}}_{MA}$ first randomly selects four strings, $({\tilde{r}}_1,{\tilde{r}}_1^{\prime },{\tilde{r}}_2,{\tilde{r}}_3)$, and sets $m_0=({\tilde{r}}_1,{\tilde{r}}_2,{\tilde{r}}_3)$ and $m_1=({\tilde{r}}_1^{\prime },{\tilde{r}}_2,{\tilde{r}}_3)$. Then, ${\mathcal{S}}_{MA}$ sends $(m_0,m_1)$ to $\mathcal{C}$ and gets $\pi =E_{pk}\left(m_b\right)$ from $\mathcal{C}$ where $b{\in }_R\{0,1\}$ and $pk$ is the public key in the IND-CCA game. $S_R$ denotes the set of the outputs of $Send({\Pi }_{V_j,M{S}_i}^v,(\alpha ,{\theta }_1,T,{\theta }_2))$ queries, i.e., the second flow $(r_1,r_4)$’s. ${\mathcal{S}}_{MA}$ randomly chooses two integers λ and $j^{\prime }$ and guesses that ${\Pi }_{M{S}_i,V_{j^{\prime }}}^u$ will accept after E makes $Send({\Pi }_{M{S}_i,V_{j^{\prime }}}^u,(r_1,r_4))$ query where $(r_1,r_4)\notin S_R$ and the session u was started by the λth $Send({\Pi }_{M{S}_i,V_{j^{\prime }}}^u,\mathcal{N})$ query. Then, ${\mathcal{S}}_{MA}$ sets up the public/private keys $(p{k}_{V_j},s{k}_{V_j})$ for entity $V_j$, where $j=\{1,\cdots ,q_2\}$ and $j\ne j^{\prime }$, and assigns the public key $pk$ to entity $V_{j^{\prime }}$ and generates public/private keys $(e_H,n_H,d_H)$ and $(p{k}_J,s{k}_J)$ for H and the judge.

When E makes $Execute({\Pi }_{M{S}_i,V_j}^u,{\Pi }_{V_j,M{S}_i}^v)$ query, ${\Pi }_{M{S}_i,V_j}^u$ will perform the protocol of Section 3.3 with ${\mathcal{O}}_T$ and get $(t,\rho ,\gamma )$. Then, ${\Pi }_{M{S}_i,V_j}^u$ prepares $T=(F_1\left(m\right),\delta ,\sigma ,\gamma ,s)$ and runs the protocol of Section 3.4 with ${\Pi }_{V_j,M{S}_i}^v$ in the presence of E. If $V_{j^{\prime }}$ is involved in the execution query, $S_{MA}$ can simulate it by running the protocol of Section 3.4 with querying ${\mathcal{O}}_E$ for encryption and querying ${\mathcal{O}}_D$ for decryption. Besides, ${\mathcal{S}}_{MA}$ initializes two global parameters $i_{guess}=0$ and $f_{guess}=0$ and empties four lists $L_{T_{MS}}$, $L_{K_{MS}}$, $L_{T_V}$, and $L_{K_V}$. When E makes $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{M})$ and $Send({\Pi }_{V_j,M{S}_i}^v,\mathcal{M})$ queries, the actions of ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$ are defined in Figure 13.

In Line 22 of ${\Pi }_{M{S}_i,V_j}^u$ in Figure 13, ${\mathcal{S}}_{MA}$ tries to break IND-CCA as follows. If $f_{guess}=0$, ${\mathcal{S}}_{MA}$ will guess $b^{\prime }=0$ when $r_1^{\prime }={\tilde{r}}_1$, guess $b^{\prime }=1$ when $r_1^{\prime }={\tilde{r}}_1^{\prime }$, and randomly guess $b^{\prime }\in \{0,1\}$ when $r_1^{\prime }\ne {\tilde{r}}_1$ and $r_1^{\prime }\ne {\tilde{r}}_1^{\prime }$. If $f_{guess}=1$, ${\mathcal{S}}_{MA}$ will randomly guess $b^{\prime }\in \{0,1\}$. If ${ϵ}_1$ is non-negligible, ${\mathcal{S}}_{MA}$ has non-negligible advantage $Ad{v}_{{\mathcal{S}}_{MA}}^{IND-CCA}\left(k\right)$ to output a guess bit $b^{\prime }$ such that $b^{\prime }=b$ where $Ad{v}_{{\mathcal{S}}_{MA}}^{IND-CCA}\left(k\right)={ϵ}_1^{\prime }-\frac{1}{2}$ and

$$\begin{array}{cc}{ϵ}_1^{\prime }\hfill & =\frac{{ϵ}_1+(1-{ϵ}_1)\frac{1}{2^{l_r}}}{q_2{q}_3}+\frac{(1-{ϵ}_1)\frac{2^{l_r}-1}{2^{l_r}}}{2q_2{q}_3}+\frac{(q_2{q}_3-1)}{2q_2{q}_3}\hfill \\ & >\frac{2{ϵ}_1}{2q_2{q}_3}+\frac{(1-{ϵ}_1)\frac{1}{2^{l_r}}+(1-{ϵ}_1)\frac{2^{l_r}-1}{2^{l_r}}}{2q_2{q}_3}+\frac{(q_2{q}_3-1)}{2q_2{q}_3}\hfill \\ & =\frac{{ϵ}_1}{2q_2{q}_3}+\frac{1}{2}.\hfill \end{array}$$

In Case 2, E has to send a valid 4-tuple $(\alpha ,{\theta }_1,\widehat{T},{\theta }_2)$ to ${\Pi }_{V_j,M{S}_i}^v$ first and then respond a valid string ${\widehat{r}}_5$ after receiving $({\widehat{r}}_1,{\widehat{r}}_4)$ from ${\Pi }_{V_j,M{S}_i}^v$. Let $S_T$ be the set of T’s obtained by ${\Pi }_{M{S}_i,V_j}^u$. The followings are two sub-cases when E successfully impersonates ${\Pi }_{M{S}_i,V_j}^u$.

• $\widehat{T}\notin S_T$: Assume that $\widehat{T}=(F_1\left(\widehat{m}\right)$, $\widehat{\delta }$, $\widehat{\sigma }$, $\widehat{\gamma }$, $\widehat{s})$. Thus, ${\mathcal{S}}_{MA}$ can obtain $\widehat{m}=\widehat{r_5}\oplus F_3(r_2\left|\right|r_4)$ and forge a ticket $(\widehat{m},\widehat{\delta },\widehat{\sigma },\widehat{\gamma },\widehat{s})$. However, we have proved the security of ticket unforgeability in Section 4.3. Hence, the probability of that E is successful in this sub-case is negligible.
• $\widehat{T}\in S_T$: In the sub-case, E successfully swindles $\widehat{T}$ which is owned by ${\Pi }_{M{S}_i,V_j}^u$. We have proved the security of ticket swindling resistance in Section 4.5. Consequently, the probability of that E is successful in this sub-case is also negligible.

Therefore, the probability ${ϵ}_2$ is negligible. We conclude that No Matching${}^E\left(k\right)$ is negligible because ${ϵ}_1$ and ${ϵ}_2$ are both negligible. ☐

4.7. Secure Authenticated Key Exchange

First, we introduce a new query, $Test\left({\Pi }_{M{S}_i,V_j}^u\right)$. An adversary E can ask $Test\left({\Pi }_{M{S}_i,V_j}^u\right)$ query after ${\Pi }_{M{S}_i,V_j}^u$ has established a session key $r_3$ with another oracle ${\Pi }_{V_j,M{S}_i}^v$. To answer this query, the oracle flips a fair coin $b^{\prime }\leftarrow \{0,1\}$ and then returns $r_k=r_3$ if $b^{\prime }=0$ and $r_k{\in }_R{\{0,1\}}^{l_r}$ if $b^{\prime }=1$. In the following, we define an experiment which was also introduced in [15,21].

Definition 12. 

Let $k\in \mathbb{N}$ be a security parameter. In this experiment, the adversary E will try to guess that the returned value $r_k$ from $Test\left({\Pi }_{M{S}_i,V_j}^u\right)$ query is a random string or the real session key.

$$\begin{array}{c}Experiment Ex{p}_E^{GoodGuess}\left(k\right)\hfill \\ -b^{\prime \prime }\leftarrow E^{Execute,Send,Reveal,Corrupt}(r_k=Test\left({\Pi }_{M{S}_i,V_j}^u\right))\hfill \\ If the followings are true, return 1; elsereturn 0.\hfill \\ 1.b^{\prime }=b^{ȃ}\hfill \\ 2.E has never submitted Reveal\left({\Pi }_{M{S}_i,V_j}^u\right) and\hfill \\ Corrupt\left(V_j\right) queries.\hfill \end{array}$$

We define the advantage of E is $Ad{v}_E^{GoodGuess}\left(k\right)=Pr[Ex{p}_E^{GoodGuess}\left(k\right)=1]-\frac{1}{2}$.

Definition 13. 

A protocol $P=(\Pi ,\mathcal{G})$ is a secure authenticated key exchange protocol if

1. 

P is a secure mutual authentication protocol;

2. 

Both oracles ${\Pi }_{M{S}_i,V_j}^u$ and ${\Pi }_{V_j,M{S}_i}^v$ always accept and hold the same session key $r_3$ if E is a benign adversary; and

3. 

For any adversary E, $Ad{v}_E^{GoodGuess}\left(k\right)$ is negligible.

Theorem 6. 

The authentication protocol of Section 3.4 is a secure authenticated key exchange protocol if the encryption $E_{p{k}_V}$ is semantic secure.

Proof. 

We have shown that the proposed scheme satisfies the first and second conditions of Definition 13. We consider the third condition and assume that E is an adversary who has probability $(ϵ+\frac{1}{2})$ in outputting $b^{″}$ such that $b^{\prime }=b^{″}$ where ϵ is non-negligible. The proof model is depicted as Figure 14.

$\mathcal{S}$ is a simulator who will simulate the communication environment for E. $\mathcal{S}$ first randomly selects four strings, $({\tilde{r}}_1,{\tilde{r}}_2,{\tilde{r}}_3,{\tilde{r}}_3^{\prime })$, and prepares $m_0=({\tilde{r}}_1,{\tilde{r}}_2,{\tilde{r}}_3)$ and $m_1=(\tilde{r},{\tilde{r}}_2,{\tilde{r}}_3^{\prime })$. $\mathcal{S}$ then sends $(m_0,m_1)$ to $\mathcal{C}$ and obtains $\pi =E_{pk}\left(m_b\right)$ from $\mathcal{C}$ where $b{\in }_R\{0,1\}$. Assume that there are $q_1$ entities $M{S}_i$’s and $q_2$ entities $V_j$’s. E is allowed to submit $Execute({\Pi }_{M{S}_i,V_j}^u,{\Pi }_{V_j,M{S}_i}^v)$ queries at most $q_3$ times where $q_1$, $q_2$, and $q_3$ are polynomials of security parameter k. $\mathcal{S}$ guesses two numbers λ and $j^{\prime }$ where E will return the guess bit $b^{\prime \prime }$ after making $Test\left({\Pi }_{M{S}_i,V_{j^{\prime }}}^u\right)$ which is corresponding to the λth $Execute({\Pi }_{M{S}_i,V_{j^{\prime }}}^u,{\Pi }_{V_{j^{\prime }},M{S}_i}^v)$ query. Then, $\mathcal{S}$ initializes $i_{guess}=0$ and generates all public/private key pairs $(p{k}_{V_j},s{k}_{V_j})$ for all entities $V_j$’s except the entity $V_{j^{\prime }}$ whose public key will be set as $pk$ received from $\mathcal{C}$ in Definition 7. When E makes $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{M})$ and $Send({\Pi }_{V_j,M{S}_i}^v,\mathcal{M})$ queries, $\mathcal{S}$ can deal with them and output the corresponding messages by running the protocols of Section 3.3 and Section 3.4 with generated public/private keys $(p{k}_{V_j},s{k}_{V_j})$’s and encryption/decryption oracles $({\mathcal{O}}_E,{\mathcal{O}}_D)$. The operations of $Execute({\Pi }_{M{S}_i,V_{j^{\prime }}}^u,{\Pi }_{V_{j^{\prime }},M{S}_i}^v)$, $Test\left({\Pi }_{M{S}_i,V_{j^{\prime }}}^u\right)$, $Reveal\left(T\right)$, and $Reveal\left({\Pi }_{M{S}_i,V_j}^u\right)$ queries are depicted in Figure 15.

In Line 3 of $Reveal\left({\Pi }_{M{S}_i,V_j}^u\right)$ in Figure 15, $\mathcal{S}$ will abort the simulation because it cannot return the established session key. If the simulation is aborted, $\mathcal{S}$ will randomly guess $b^{\prime }\in \{0,1\}$. Otherwise, after E performs $Test\left({\Pi }_{M{S}_i,V_j}^u\right)$ and outputs $b^{\prime \prime }$, $\mathcal{S}$ will set $b^{\prime }=b^{″}$. Thus, $\mathcal{S}$ has probability ${ϵ}^{\prime }$ in outputting a correct bit $b^{\prime }$ ($=b$) to $\mathcal{C}$ where ${ϵ}^{\prime }\ge \frac{ϵ+\frac{1}{2}}{q_2{q}_3}+\frac{q_2{q}_3-1}{2q_2{q}_3}=\frac{2ϵ+1+q_2{q}_3-1}{2q_2{q}_3}=\frac{ϵ}{q_2{q}_3}+\frac{1}{2}$. Hence, if ϵ is non-negligible, $Ad{v}_{\mathcal{F}}^{IND-CCA}\left(k\right)={ϵ}^{\prime }-\frac{1}{2}\ge \frac{ϵ}{q_2{q}_3}$ is also non-negligible.

☐

5. The Forward Secrecy Extension

Forward secrecy is an advanced security feature which makes the past session keys still secure even though the long-term key of a system was stolen by attackers. If a scheme is not with forward secrecy, an attacker, who has gotten the long-term key by some means, can compute all past session keys which were derived from the long-term key.

Our anonymous authentication protocol can be easily extended to own the feature of forward secrecy by adopting Diffie-Hellman key exchange protocol [24]. The extended protocol is given in Figure 16. Let p be a prime and g be a generator with order q in ${\mathbb{Z}}_p^{*}$ where q is also prime and $q\left|\right(p-1)$. In the extended authentication protocol, when $MS$ is preparing ${\theta }_2$, she/he randomly chooses an integer $a\in \{1,\cdots ,q\}$ and compute $r_3=g^{a}modp$. Then, $MS$ sets ${\theta }_2=E_{p{k}_V}(r_1,r_2,r_3)$. V prepares $r_4=g^{b}modp$ where b is randomly selected from $\{1,\cdots ,q\}$ and sends $(r_1,r_4)$ to $MS$. Finally, $MS$ computes the session key $k_s=r_4^{a}modp$ and V computes $k_s=r_3^{b}modp$.

In the extended version, the mobile user has to pay two more exponentiation computations, i.e., $r_3=g^{a}modp$ and $k_s=r_4^{b}modp$ for completing her/his authentication. The mobile user can pre-compute $r_3=g^{a}modp$ before the communication.

5.1. The Security Proof for the Forward Secrecy Extension

First, we define Decisional Diffie-Hellman (DDH) Assumption which was introduced in [25].

Definition 14 (DDH). 

Let p be a prime and g be a generator with prime order q in ${\mathbb{Z}}_p^{*}$ where $q\left|\right(p-1)$. Given $(p,q,g,g^{a}modp,g^{b}modp,g^{c}modp)$, it is computationally indistinguishable to decide if $c\equiv ab(modq)$.

We modify the experiment of Definition 12 as follows.

Definition 15. 

Let $k\in \mathbb{N}$ be a security parameter. In this experiment, the adversary E will try to guess that the returned value $r_k$ from $Test\left({\Pi }_{M{S}_i,V_j}^u\right)$ query is a random string or the real session key.

$$\begin{array}{c}Experiment Ex{p}_E^{GoodGuessFS}\left(k\right)\hfill \\ -b^{″}\leftarrow E^{Send,Execute,Reveal,Corrupt}(r_k=Test\left({\Pi }_{M{S}_i,V_j}^u\right))\hfill \\ If the followings are true, return 1; elsereturn 0.\hfill \\ 1.b^{\prime }=b^{″}\hfill \\ 2.E has never submitted Reveal\left({\Pi }_{M{S}_i,V_j}^u\right).\hfill \\ 3.E makes Corrupt\left(V_j\right) query when the session u^{\prime } hasbeen\hfill \\ finished whereu<u^{\prime }.\hfill \end{array}$$

We define the advantage of E is $Ad{v}_E^{GoodGuessFS}\left(k\right)=Pr[Ex{p}_E^{GoodGuessFS}\left(k\right)=1]-\frac{1}{2}$.

Definition 16. 

A protocol $P=(\Pi ,\mathcal{G})$ is with forward secrecy if P is a secure authenticated key exchange protocol and $Ad{v}_E^{GoodGuessFS}\left(k\right)$ is negligible.

Theorem 7. 

The extension of the authentication protocol in Section 5 is a secure authentication protocol with forward secrecy.

Proof. 

The proof model is illustrated in Figure 17. We will construct a simulator ${\mathcal{S}}_{FS}$ who obtains $(p,q,g,g^{\overline{a}}modp,g^{\overline{b}}modp,g^{\overline{c}}modp)$ and simulates the communication environment under the presence of an adversary E. There are $q_1$ entities $M{S}_i$’s and $q_2$ entities $V_j$’s in the communication environment. Assume that E makes $Execute({\Pi }_{M{S}_i,V_j}^u,{\Pi }_{V_j,M{S}_i}^v)$ queries at most $q_3$ times. ${\mathcal{S}}_{FS}$ generates the public/private keys $(p{k}_{V_j},s{k}_{V_j})$ for $V_j$ where $j=\{1,\cdots ,q_2\}$. ${\mathcal{S}}_{FS}$ guesses a number λ where E will output correct bit $b^{\prime \prime }$ for the $Test\left({\Pi }_{M{S}_i,V_j}^u\right)$ query and ${\Pi }_{M{S}_i,V_j}^u$ is involved in the λth $Execute({\Pi }_{M{S}_i,V_j}^u,{\Pi }_{V_j,M{S}_i}^v)$ query. When E makes $Send({\Pi }_{M{S}_i,V_j}^u,\mathcal{M})$ and $Send({\Pi }_{V_j,M{S}_i}^v,\mathcal{M})$ queries, ${\mathcal{S}}_{FS}$ can return the corresponding response messages by performing the protocol of Section 3.3 and Section 3.4 with the generated public/private keys $(p{k}_{V_j},s{k}_{V_j})$’s. Besides, ${\mathcal{S}}_{FS}$ resets $i_{guess}=0$ and $Reveal\left(T\right)$, $Reveal\left({\Pi }_{M{S}_i,V_j}^u\right)$, $Test\left({\Pi }_{M{S}_i,V_j}^u\right)$, and $Execute({\Pi }_{M{S}_i,V_j}^u,{\Pi }_{V_j,M{S}_i}^v)$ queries are defined in Figure 18.

After the λth $Execute({\Pi }_{M{S}_i,V_j}^u,{\Pi }_{V_j,M{S}_i}^v)$ query, E makes $Test\left({\Pi }_{M{S}_i,V_j}^u\right)$ query and outputs a guess bit $b^{\prime \prime }$. Then ${\mathcal{S}}_{FS}$ can try to solve the DDH problem as follows. If $b^{\prime \prime }=0$, ${\mathcal{S}}_{FS}$ decides $c\equiv ab(modq)$. If $b^{\prime \prime }=1$, ${\mathcal{S}}_{FS}$ decides $c\ne ab(modq)$. Besides, if E does not make $Test\left({\Pi }_{M{S}_i,V_j}^u\right)$ query for the λth $Execute({\Pi }_{M{S}_i,V_j}^u,{\Pi }_{V_j,M{S}_i}^v)$, ${\mathcal{S}}_{FS}$ randomly chooses $b^{\prime }\in \{0,1\}$. Assume that E has probability at least $(ϵ+\frac{1}{2})$ with non-negligible ϵ to output correct bit $b^{\prime \prime }$. Thus, ${\mathcal{S}}_{FS}$ has non-negligible advantage at least $\frac{ϵ+\frac{1}{2}}{q_3}+\frac{q_3-1}{2q_3}-\frac{1}{2}=\frac{ϵ}{q_3}$ to solve the DDH assumption, i.e., $Ad{v}_E^{GoodGuessFS}\left(k\right)\ge \frac{ϵ}{q_3}$.

6. Comparisons and Performance Evaluation

6.1. Comparisons

First, we describe some features as follows where these features are required for mobile users when they roam around the mobile networks.

• Hiding identity: Mobile users hide their real identities from the system operator, H and V, and eavesdroppers.
• No relation: It is difficult for the system to derive the relation between any two rounds of the communication of the same mobile user.
• Secure channels: After performing mutual authentication between an anonymous mobile user and the system operator, they must establish a shared session key for the following communication activities.
• Fair privacy: Fair privacy contains traceability and revokeability. If a crime happens, the police can trace the identities of related anonymous mobile users or the judge can revoke their privacy.
• Credit-based chargeability: As mentioned in Section 3.5, the credit-based charging method is better than the debit-based one since the former (1) is the same as the practical situation in current GSM services; (2) can greatly reduce the relations between any two rounds of communication; and (3) is free from the problem of overspending.

The comparisons between our proposed scheme and the others are summarized in

Table 1. Comparisons.

	Privacy					Property
Scheme	Hiding ID from:							Credit-Based
	H	V	E	NoR	S	T	R	Chargeability
Ours	◯	◯	◯	◯	◯	◯	◯	◯
[6]	◯	◯	◯	×	◯	△	△	×
[7]	◯	◯	◯	×	×	×	×	×
[8]	×	◯	◯	◯	◯	×	×	×
[9]	×	×	◯	◯	◯	×	×	×
[10]	×	◯	◯	×	◯	×	×	◯
[11]	◯	◯	◯	◯	×	×	×	×
[12]	◯	◯	◯	×	×	×	×	×
[26]	×	◯	◯	×	×	×	×	×
[27]	×	◯	◯	×	◯	×	×	×
[28]	×	◯	◯	×	◯	◯	◯	×

H: Home domain; V: Visiting domain; E: Eavesdroppers; NoR: Hard to derive relation between any two rounds; S: Secure channel; T: Traceability (Tracing a criminal user); R: Revokeability (Revoking the privacy of a user when necessary); ◯: Achieving the feature; ×: Not achieving the feature; △: Not realizing the feature.

. In Table 1, the authors of [6] also mentioned untraceability and revokeability, but they did not realize them in their scheme. We believe that realizing untraceability and revokeability is not trivial.

6.2. Performance Evaluation

In

Table 2. Computation evaluation.

Operation	Mobile User ($\mathit{MS}$)	The System (V+H)
Requesting a ticket	4E	6E
Using a ticket	3E	2E
Termination	3E	8E

, we summarize the computation cost of the proposed protocols where E denotes the cost of a modulo exponentiation computation.

Besides, we show the benchmark of Crypto++, which is a C++ class library of cryptographic computations, in

Table 3. The benchmark of Crypto++.

CPU: Intel Celleron 450 MHz, OS: Windows 2000
RSA Operation	Iterations	Total Time	Milliseconds/Operation
1024 Encryption	41,051	30 s	0.73
1024 Decryption	1,084	30 s	27
2048 Encryption	13,912	30 s	2
2048 Decryption	164	30 s	183
1024 Signature	1,086	30 s	27
1024 Verification	43,061	30 s	0.69
2048 Signature	165	30 s	181
2048 Verification	14,187	30 s	2

[29]. The benchmark is measured by running Crypto++ on a machine with Intel Celleron 450MHz CPU under Windows 2000. Furthermore, we also list the hardware specifications of some recently popular mobile devices in

Table 4. Some popular mobile devices.

Mobile Device	CPU	Memory	Execution Time
Mac iphone 3G	Samsung S5L8900 620 MHz	128 MB
HTC magic	Qualcomm MSM 7201A 528 MHz	192 MB	E: 3 ms, D: 21 ms
Noika N95	Dual ARM 11 332 MHz	128 MB
Sony Ericsson X1	Qualcomm MSM 7200 528 MHz	256 MB

E: encrypting 256 bits of data; D: decrypting 256 bit of data.

[30]. In Table 4, we also implemented RSA Cryptography system to check if our proposed system is practically efficient. According to Table 3 and Table 4, we can objectively say that our protocols can be implemented and efficiently executed in the present mobile devices. Consequently, our anonymous authentication protocols can be performed in a reasonable time when a mobile user takes her/his mobile device to roam over the mobile network.

7. Conclusions

We have proposed a mobile authentication scheme which can authenticate mobile users anonymously. When a mobile user enters the anonymity mode, she/he can perform a mutual authentication process with the system operator. The system operator can charge the anonymous user correctly according to the time she/he consumed by a credit-based method. Furthermore, if some mobile user misuses the anonymity property, the judge can revoke her/his privacy and trace her/him.

In the proposed scheme, the privacy of an honest mobile user might be broken by the system operator if the mobile user lost her/his ticket since the system operator must trace her/his used tickets in order to find the spending value of her/him. Finding a solution to cope with the problem would be the subject of an interesting research topic.