Formal Security-Proved Mobile Anonymous Authentication Protocols with Credit-Based Chargeability and Controllable Privacy †

: Smart mobile phones are widely popularized and advanced mobile communication services are provided increasingly often, such that ubiquitous computing environments will soon be a reality. However, there are many security threats to mobile networks and their impact on security is more serious than that in wireline networks owing to the features of wireless transmissions and the ubiquity property. The secret information which mobile users carry may be stolen by malicious entities. To guarantee the quality of advanced services, security and privacy would be important issues when users roam within various mobile networks. In this manuscript, an anonymous authentication scheme will be proposed to protect the security of the network system and the privacy of users. Not only does the proposed scheme provide mutual authentication between each user and the system, but also each user’s identity is kept secret against anyone else, including the system. Although the system anonymously authenticates the users, it can still generate correct bills to charge these anonymous users via a credit-based solution instead of debit-based ones. Furthermore, our protocols also achieve fair privacy which allows the judge to revoke the anonymity and trace the illegal users when they have misused the anonymity property, for example, if they have committed crimes. Finally, in this paper, we also carry out complete theoretical proofs on each claimed security property.


Introduction
Recently, mobile communication is becoming more and more popular such that many applications and services are provided in the mobile network environments [1].Moreover, some countries have constructed wireless network architectures of 4G (4th Generation) mobile networks.There is also smart mobile equipment that has been produced in order for people to enjoy mobile services anywhere and anytime.It is obvious that mobile computing will penetrate people's lives in the near future.Convenient mobile network services and powerful mobile equipment will make people all around the world become willing to join the society of mobile communications.
Mobile users may process important documents or secret personal information in their mobile equipment when they roam around the mobile networks.They might worry about whether it is secure for them to carry their important data to the mobile networks.When mobile users exchange messages in the mobile networks, they will face lots of security threats.The eavesdroppers may try to obtain their transmitted messages, their real identities, and even their locations where they are roaming around [2].The more information the eavesdroppers know, the less security and privacy the mobile users preserve.Sometimes the vicious insiders of the system operator would disclose the classified information of mobile users.Any system without maintaining user privacy will not be acceptable in the future [3][4][5].
There exist some weaknesses on user privacy in the existent 2G mobile network system.Each mobile user's alias, TMSI, can be linked to her/his real identity, IMSI, by attackers when the VLR requests her/him to retransmit her/his IMSI.The 2G mobile network also has no design for satisfying mutual authentication and protecting the users' privacy against the system operator.A mobile user may be cheated by some fake base stations in a mobile network system due to lack of mutual authentication.Although the 3G system has provided mutual authentication, the privacy or anonymity of mobile users has not been sufficiently considered yet.
Most of the proposed authentication schemes [6][7][8][9][10][11][12] which emphasize the privacy of mobile users usually assign an anonymous identity to each user.A mobile user will obtain an anonymous identity after she/he is successfully authenticated by the system operator, and she/he will take this valid alias to roam over the mobile networks.The eavesdroppers do not know the relation between her/his real identity and alias, but the system operator can derive the relation.To protect the user's privacy perfectly, we hope that anyone else, even the system operator, cannot derive such relations either.Owing to the unlinkability property, the technique of blind signatures [13] can help us with realizing complete anonymity for mobile users.
Another problem is that once a mobile user gets anonymity, how can the system operator charge her/him when she/he requests the mobile network services via an anonymous identity?Especially, how can the system charge the user via a credit-based way, which is the most commonly-used billing solution and has been accepted by almost all of the mobile users?Further more, if there is some mobile user who misused the anonymity property to commit crimes, how can the judge handle it?All of the current solutions cannot cope with all of the above problems at the same time.
In our solution, every mobile user is anonymous from the system operator and any other person's point of view when she/he is accessing the mobile network resources.Furthermore, the system operator can charge the mobile user according to the communication time the user consumed via a credit-based way.Moreover, we also consider the issue of fair privacy.The privacy of the mobile users who misused the anonymity property can be revoked by the judge, and the police can trace the criminals who have gotten anonymity.This is the property of fair privacy.We simultaneously realize the anonymity, credit-based chargeability, and fair privacy (revokeability and traceability) in our proposed authentication protocols for mobile communications.
We produced a related work [14] which introduced the basic idea of this research.In this manuscript, we proposed more security features: Unlinkability, Unforgeability, Tamper Resistance, Swindling Resistance, Secure Mutual Authentication, and Secure Authenticated Key Exchange.Furthermore, the formal security proofs guarantee the security strength of the proposed system.Besides, we also did implementation to show the practical computation cost on cellphone.

Some Requirements for Anonymous Authentication
In mobile network environments, we need the following requirements for anonymous authentication.

1.
Dynamic anonymous identity: When an anonymous user uses the same anonymous identity to roam over the mobile network for all sessions, her/his identity may be exposed by analyzing her/his behavior.We think that an anonymous user should use different anonymous identities for different sessions when she/he roams over the mobile network.

2.
No relation between any two aliases: The privacy of a mobile user will be broken if the relations between any two aliases of the user are disclosed.

3.
No mapping table, which contains the mapping between each real identity and its corresponding anonymous identity, stored in the system operator: The system operator authenticates an anonymous user directly without maintaining a database to record a mapping between all of the user's anonymous identities and the user's real identity.This will make it possible for the user to gain her/his privacy against the system, and the system can save its storage space.

4.
Authenticated key agreement: After anonymous authentication between the system and an anonymous user, a shared session key will be established.If the user shares a long-term key with the system in advance and derives the session key via the shared long-term key, the system can trace her/him by recognizing the long-term key embedded in the session key.Hence, in order to preserve user anonymity, the system and the user have to establish their session key without sharing any key or information in advance.Besides, all session keys should be mutually independent from each other.

5.
Traceability in some situations: If there exist malicious users, a trusted third party must be able to revoke their privacy.An anonymous authentication protocol should own the feature of revokable anonymity in order to deal with the above situation.6.
Credit-based chargeability: When a user conceals her/his identity from the system operator, it will be hard for the system to charge the anonymous user after she/he utilizes the network services.An anonymous authentication scheme for mobile communications should allow the system operator to charge anonymous mobile users via the popularized credit-based way without revealing their identities.The credit-based chargeability in the proposed system means that any user does not need to pay, even pay with a credit card, before she/he uses the services of the system.Every consumption of the user will be accumulated in her/his ticket.The ticket has a life cycle and the user should return the ticket to the system at the end of the cycle, say the end of each month.Finally, the system will send the user a bill which includes the total amount of the consumption retrieved from the ticket.

The Proposed Protocols
First, we define and explain some notations as follows: 1.
MS, H, V: These are three participants in our protocols.MS is a mobile user, H is the server of the home network, and V is the server of a visiting network.

2.
ID MS : the real identity of MS.

3.
E x , D x : E x is a semantic secure encryption function [15] and D x is the decryption function corresponding to E x where x can be an input symmetric key or public/private key.

4.
k ms_h , k ms_v , k v_h : The shared session keys between MS and H, MS and V, and V and H, respectively.5.
(pk J , sk J ) and (pk V , sk V ): (pk J , sk J ) is the public/private key pair of the judge and (pk V , sk V ) is the public/private key pair of V.
F 1 , F 2 , and F 3 : three one-way hash functions.

8.
A judge device: The judge issues a tamper-resistant device which contains {a random-number generator, a symmetric-key cryptosystem, a public-key cryptosystem, a public-private key pair of the judge, F 1 , F 2 }.This device will be integrated into the system of H.It is impossible to steal or modify any information embedded in the device.In our scheme, the judge is an off-line party, i.e., the judge does not need to keep connection with H in our protocols, but the judge device does.
In practice, the judge device can be implemented by the technique of TPM (Trusted Platform Module) [16] which is maintained by the Trusted Computing Group [17].Nowadays, TPMs are also embedded in mobile phones and notebook computers [18].9.
γ: This is a due date.As shown in Figure 1, if a mobile user requests a ticket for communication in time slot P i , H will assign her/him the due date γ i + 1 where γ i + 1 is the last day of next time slot P i + 1 .H assigns the same γ to each mobile user who requests a ticket in the same time slot.All time slots are equally long.Our scheme consists of four protocols which are described in Sections 3.3-3.6,respectively.In our scheme, a mobile user requests an anonymous ticket by performing the protocol in Section 3.3.Then she/he can use the anonymous ticket for network services by executing the protocol in Section 3.4.After she/he performs the protocol in Section 3.4 for network services, H can charge her/him on the due date via the protocol in Section 3.5.Especially, if she/he does something illegal, the judge and the police can revoke her/his privacy or trace her/him through the protocol in Section 3.6.

Overview of Our Proposed Scheme
In this section, we describe how a mobile user obtains anonymity, how the system charges an anonymous user via a credit-based method, and how the judge revokes the anonymity from an anonymous user who does something malicious.
In our scheme, a mobile user has to request an anonymous ticket first and then uses it for authentication.As shown in Figure 2, when the mobile user request a ticket, the system, V and H, will send her/him a blinded ticket with her/his the identity ID and an initial value w = 0.The mobile user gets anonymity by unblinding the obtained ticket.The system charges the mobile user by a credit-based way as follows.Each time the mobile user consumes her/his ticket for mobile network services, the system will return her/him a new one which contains an updated value (w + w ) where w is the value of the money H wants to charge the user for this time of communication service.Finally, the user must return her/his current unused ticket to the system on the due date of the ticket and the system will send her/him a bill which contains the accumulated value retrieved from the returned ticket of the user.During the services, the user is anonymous to the system under the protection from our proposed anonymity mechanism.
However, if the user does something malicious, the judge can revoke her/his anonymity by extracting her/his identity from the ticket and the police can trace the user via the embedded identity.

Key Generation
H chooses two distinct large primes p H and q H and computes n H = p H q H . H also selects its public key e H and the private key d H such that e H d H ≡ 1 (mod φ(n H )) where φ(n H ) = (p H − 1)(q H − 1).Finally, H publishes {n H , e H , F 1 , F 2 , F 3 } and keeps {p H , q H , d H } secret.Besides, H also publishes all time slots P i s, i ∈ {1, 2, 3, ...}, i.e., all of the due dates γ's are published.

The Protocol for Requesting an Initial Anonymous Ticket
In our scheme, the mobile user, MS, can request an anonymous ticket by running the protocol in this section after she/he performs any existing secure mutual authentication protocol with the system, V and H.There exists a secure channel between V and H where the shared encryption key is k v_h .This protocol contains the following steps and it is also shown in Figure 3.
First, MS randomly generates two l r -bit strings (m, k) and an integer r ∈ Z * n H . Then MS computes and θ = E pk J (k, ID MS ).Finally, MS submits (α, θ) to H.
In this step, H knows that MS, whose real identity is ID MS , wants to request a ticket.Let µ = ID MS and γ be the last day of next time slot.Then H inputs (µ, γ, θ) into the judge device.
H also records that ID MS has bought a ticket in the current time slot and she/he will have to return an unused ticket on the due date γ for billing.
First, the judge device decrypts θ by computing D sk J (θ) and parses the result as (k, ID MS ).Then it checks if µ = ID MS .If true, it randomly generates two l r -bit strings (r j , r z ) and an integer b ∈ Z * n H . Then it sets w = 0 and computes δ = E pk J (ID MS , F 1 (r z )), σ = E pk J (w, r j ), and Finally, it computes ρ = E k (δ, b, σ) and ξ = E pk J (r z ) and returns (β, ρ, ξ) to H.
After receiving (t, ρ, γ), MS checks if γ is the last day of next time slot.Then she/he decrypts ρ by computing D k (ρ) and parses the result as (δ, b, σ).She/He also computes s = (br) −1 t mod n H Then she/he obtains a ticket (m, δ, σ, γ, s) and can verify it by examining if the following formula is true: Finally, MS sets i = 1 and (m i , δ i , σ i , γ, s i ) = (m, δ, σ, γ, s) and then goes to the protocol of Section 3.4 when she/he decides to use the ticket to roam the mobile networks.This protocol makes them possible for the anonymous mobile user MS to perform mutual authentication with V and use her/his ticket for mobile network services.It contains the following steps and also is illustrated in Figure 4.
After receiving (α, θ 1 , T, θ 2 ), V first verifies T by examining if and γ is not expired.If true, V decrypts θ 2 to get (r 1 , r 2 , r 3 ) and randomly generates an l r -bit string r 4 .Then V sends (r 1 , r 4 ) to MS.
After V sends (r 1 , r 4 ) to MS, it also immediately submits E k v_h (T) to H in order to perform the double-using checking on T. If T is doubly used, the connection will be terminated.
After receiving (r 1 , r 4 ), MS checks if r 1 is the same as the one which was chosen by herself/himself.Then MS computes r 5 = F 3 (r 2 ||r 4 ) ⊕ m * and sends r 5 to V.

5.
Allowing Communication: If true, V ensures that MS is the real owner of T. Therefore, V allows MS to communicate with it.During the communication, they can encrypt/decrypt their messages via the session key r 3 .
After MS terminates her/his communication, she/he will get a returned ticket which will be used for the next round of authentication.As shown in Figure 5, she/he has to perform the following procedures with the system to obtain the returned ticket.
MS notifies V that she/he wants to terminate her/his communication.

2.
V → H : After receiving the termination request from MS, V computes the spending value w of MS according to the communication time or services utilized by MS.
H decrypts the message received from V and stores (T, m * , w ) into its database.Then H inputs (T, w , θ 1 ) into the judge device.
When receiving (T, w , θ 1 ), the judge device will verify T by ( 5) first and verify whether the due date γ embedded in T has expired or not.If one of the above verifications fails, the judge device will return an aborting signal.Otherwise, the judge device computes k = D sk J (θ 1 ), (ID MS , r z ) = D sk J (δ * ), and (w * , r * j ) = D sk J (σ * ) where δ * and σ * are retrieved from T. Furthermore, it randomly selects a string r j ∈ {0, 1} l r and an integer b ∈ Z * n H and ) and outputs (β, ρ) to H.

Unblinding
After receiving (t, ρ), MS computes (δ * * , b, σ * * ) = D k (ρ) and s * * = (br) −1 t mod n H . MS obtains a new ticket as (m * * , δ * * , σ * * , γ, s * * ) which can be verified by checking whether , which is the new unused (fresh) ticket of the user.Thus, she/he can use the fresh ticket for the next round of communication before the due date, γ.

The Protocol for Charging Mobile Users
For each mobile user, MS, the system operator, H, calculates her/his bill through the following steps on the due date, γ: MS returns her/his real identity and unused ticket, (m * , δ * , σ * , γ, s * ), to H before the due date.

2.
H checks that the ticket does not exist in its database and sends the ticket to the judge device.

3.
The judge device verifies if the ticket is valid via (4) and checks if the γ has expired.If true, it computes (w, r j ) = D sk J (σ * ) and returns the spending value w to H.

4.
H adds w to the bill of MS and deletes the record which indicates that MS has ever requested a ticket.

5.
Send the bill to MS.
Besides, if the mobile user wants to request a ticket after the due date, γ, she/he should perform the protocol of Section 3.3 again.
Our scheme adopts credit-based charging, i.e. the system charges each mobile user after it has finished a sequence of services for the user, just as the practical situation in the real world.It is different from the others which provided approaches of debit-based charging, i.e. each mobile user has to purchase payment token(s) before she/he starts accessing the services provided by the system [6,12].What are the differences between charging mobile users in advance and charging them after the services?The followings are the reasons why we design our scheme to charge mobile users via a credit-based way.

1.
Adaptability.In current GSM services, almost all of the systems adopt credit-based ways to charge users.

2.
Reducing the relations between any two rounds of communication with one token only.
There are two possible ways to charge a mobile user in advance (debit-based ways), which are described as follows: (a) The mobile user purchases a set of payment tokens from the system previously where each of the tokens is with a unit of value.In each round of communication, the mobile user sends a proper number of tokens to the system for payment.In this case, it is difficult for the system to derive the relation between any two rounds of communication since the tokens are independent one another.However, this will consume much storage and communication cost for recording and transmitting these tokens.(b) The mobile user purchases only one payment token from the system previously where the token is with a specific value w.In the following round of communication, the mobile user sends the token to the system for payment and then the system returns a new token with value (w − w 1 ) if the user consumes w 1 value of that token.In this mechanism, the mobile user just needs to store one token.However, this will cause defective privacy.When the system returns one token with value (w − w 1 ) to the user, the system knows that the user will use the token with value (w − w 1 ) in the next round.There exists a relation between these two rounds of communication.
Our scheme allows a user to store one token and greatly reduces the relations between any two rounds of communication from the system's point of view.All of the users return their unused tickets to the system for charging and thus the system knows the total spending value of every user in the previous time slot.However, it is difficult for the system to trace a specific user by finding out all of her/his spending values from the spending value pool which contains all spending values of all users in the previous time slot.This is the subset sum problem, shown below, which is NP-Hard [19].The proposed system makes it computationally infeasible to link any two rounds of communication with the assumption of large subset sizes.
Definition 1.Given a vector over integers A = (a 1 , a 2 , . . ., a n ) and a positive integer s, called the sum, compute a solution vector X = (x 1 , x 2 , . . ., The integer s can be regarded as the total spending value of a mobile user and the vector A contains all spending values in the spending value pool.

3.
Free from the problem of overspending.In debit-based charging methods (both of the above two ways (a) and (b)), when a mobile user shows her/his token(s) to the system for communicating, her/his communication will be terminated if the tokens or the token's value are used up.It will cause inconvenience for the mobile user.If the system does not terminate the communication, the mobile user will overspend the token(s) and the system must perform extra procedures to deal with the situation.In our scheme, based on a credit-based method, the above problem can be avoided.

The Protocol for Privacy Revoking
In some situations, H or the judge needs to disclose the identity of an anonymous mobile user.For example, some user commits a crime; the police want to trace some criminals; or some mobile users who do something harmful for H.Our scheme supports two ways to trace illegal anonymous mobile users.

1.
Tracing the mobile user by a designated ticket: Once an anonymous user imposes on anonymity to commit a crime, her/his ticket will be reported to the judge.Assume that the ticket is (m , δ , σ , γ , s ).The judge will extract δ from the ticket and parse D pk J (δ ) to get ID MS .

2.
Tracing the tickets by a designated mobile user: If the police want to trace a criminal (whose real identity is ID MS ) in the time slot P i , the police can send (ID MS , γ i + 1 ) to H and ask H and the judge to disclose the privacy of the criminal.In this case, H will retrieve ξ from its stored records according to (ID MS , γ i + 1 ) and send ξ to the judge.After decrypting ξ and obtaining r z , the judge computes Then, it sends {δ 1 , δ 2 , δ 3 , . . ., δ i } to H, and H can help the police to trace the mobile user in time slot P i via the above set.In our scheme, the mobile user takes the anonymous ticket containing δ 1 for her/his first round of communication, the ticket containing δ 2 for the second round, and so forth.According to this order, H can trace the communication activities of the criminal from the first round to the ith round via {δ 1 , δ 2 , δ 3 , . . ., δ i }.

Exceptions
In addition to the above issues, there are three exceptions that may happen in our scheme.One is that the mobile user denies returning her/his ticket for billing on the due date.Another is that the mobile user lost her/his ticket (or lost her/his mobile device), and the other one is that the mobile user's communication is terminated abnormally.

1.
The mobile user denies returning her/his ticket for billing on the due date: After the due date γ, if there is any mobile user who has not returned her/his unused ticket yet, H will send a list L to the judge where L contains the identities of the mobile users who did not return their unused tickets.According to L , the judge sends a payment notification to each mobile user on L and announces another due date γ .If a mobile user, say ID MS , has not returned her/his unused ticket on the new due date γ , the judge will compute the set {δ 1 , δ 2 , δ 3 , . . .} according to ID MS via Equation ( 6) and then sends it to H. Let T i denote the ith ticket, i.e., the ticket containing δ i .Assume that the mobile user denied returning T i + 1 .H can find (T i , w ) from its database via δ i .When H finds (T i , w ), the judge can help H with extracting the spending value w * from T i , and then H computes w = w * + w and adds w to the bill of the mobile user ID MS .

2.
The mobile user lost her/his ticket: When a mobile user, say ID MS , lost her/his unused ticket T i , she/he must ask H to freeze her/his unused ticket or it may be used by a malicious user.After an authorization process, for example, the mobile user signs a document to show that she/he agrees H to ask the judge to compute {δ 1 , δ 2 , . . .} where the mobile user authorizes H to reveal her/his privacy, H sends (ID MS , ξ) to the judge to compute {δ 1 , δ 2 , δ 3 , . . .} by Equation (6).
Assume that the mobile user lost T i .H must deny the services for T i , T i + 1 , T i + 2 , . . .by . . ,respectively, where i ∈ N. Besides, H finds (T i − 1 , w ) from its database via δ i−1 and sends T i−1 to the judge to extract the accumulated spending value w * from T i − 1 .After the judge returns w * to H, H adds (w * + w ) to the bill of the mobile user.
In order to handle this exception, the privacy of T 1 , T 2 , T 3 , . . ., T i − 1 of the mobile user will be revealed.However, if the mobile user remembered how many tickets she/he has used, she/he can still preserve her/his privacy.For example, a mobile user lost her/his unused ticket, and she/he remembers that she/he has consumed 4 tickets.Then the judge just needs to compute {δ 4 , δ 5 , δ 6 , . . .} for H, and {δ 1 , δ 2 , δ 3 } are still kept secret for the mobile user.H will check if δ j exists in its database where j = {4, 5, 6, . . .}.If δ j exists in its database and δ j + 1 does not, H will retrieve (T j , w ), which will be used for charging the mobile user, from the database via δ j .
After the mobile user freezes her/his lost ticket, she/he can perform the protocol in Section 3.3 again to request a new ticket.

3.
The communication is terminated abnormally: Consider the case that the communication of Step 5 in Section 3.4 is abnormally terminated, i.e., the mobile user does not receive a renewed ticket.We assume that each time when the mobile user receives (t, ρ) successfully, she/he will return an ACK to H. Once H does not receive ACK, it will store (t, ρ) and (m * , δ * , σ * , γ, s * ) into an unsuccessful communication record.Thus, the mobile user can retransmit (m * , δ * , σ * , γ, s * ) to H, and H can re-send (t, ρ) to the mobile user.
Even though the mobile user lost all information in the abnormal termination, i.e., the mobile user cannot unblind t and decrypt ρ when H retransmits them to her/him, she/he can notify H that she/he lost her/his ticket and then go back to the protocol of requesting an anonymous ticket (Section 3.3) to request a new one.In such a case, H can still correctly charge the mobile user and the mobile user can still use the new ticket for the following communications.

Security Requirements
• Unlinkability: No one except the judge can trace a user when she/he is using her/his ticket for roaming the mobile networks.

•
Ticket Unforgeability: None can forge a ticket without performing the requesting ticket protocol of Section 3.3 with the system.

•
Tamper Resistance: The triple (δ, σ, γ) in a ticket cannot be modified.

•
Ticket Swindling Resistance: Anyone else cannot consume an eavesdropped ticket for communication services where the ticket is owned by some user.

•
Mutual Authentication: Neither a mobile user without a valid ticket nor an illegal system can pass the authentication.

•
Secure Authenticated Key Exchange: After mutual authentication, a mobile user and V can share a common session key unknown to any eavesdropper.

Unlinkability
In our scheme, a mobile user gets an initial anonymous ticket by running the requesting ticket protocol in Section 3.3 and obtains a renewed one when running the using ticket protocol in Section 3.4.In either Sections 3.3 or 3.4, the mobile user performs the similar operations to get an anonymous ticket.Here, we define a game as follows.
Definition 2. Let k be a security parameter, MS 0 and MS 1 be two honest mobile users, and J be the judge.The game is shown below.
Step 1.According to our proposed scheme, H sets up the system parameters which contain H's public key (e H , n H ), secret key (d H , p H , q H ), and hash functions (F 1 , F 2 , F 3 ).J generates its key pair (pk J , sk J ).
Step Proof.In Step 5 of Definition 2, if H is given ⊥, it will determine b with probability 1  2 which is exactly the same as a random guess of b.
We assume that H gets (m b , δ b , σ b , γ b , s b ) and (m ) be the view of H to the protocol of Section 3.3 and the protocol of Section 3.4, respectively, where i ∈ {0, 1} and γ 0 = γ 1 .
Consider (θ i , γ i , µ i , ρ i , ξ i ) in Section 3.3 where Since E pk J and E k i are semantically secure encryption functions, the information encrypted in the above ciphertexts will not be revealed.

Ticket Unforgeability
In 2003, Bellare et al. introduced a problem called the RSA Chosen Target Inversion (RSA-CTI) Problem [20].Then they proved that the Full Domain Hash RSA (FDH-RSA) blind signature is unforgeable as long as the RSA-CTI problem is hard.In this section, we will show that the ticket requesting protocol of Section 3.3 and the ticket using protocol of Section 3.4 satisfy unforgeability as long as the FDH-RSA blind signature is with unforgeability.Theorem 2. If an attacker A can forge an unused ticket in the proposed scheme (Sections 3.3 or 3.4) with probability at least A in time t A , there exists a forger F that can break the unforgeability of the FDH-RSA blind signature with probability at least in time t such that where q F is the number of queries A makes to F, t F is the time for F to deal with a query, and t S D is the time for the FDH-RSA blind signing oracle to process a signing query.
Proof.The model of this proof is shown as Figure 6.Let S D be the FDH-RSA blind signing oracle.The public key of S D is (e H , n H ). First, F initializes the environment by generating the public/private key pair (pk J , sk J ) of the judge and selecting three hash functions (F 1 , F 2 , F 3 ).
Then F publishes (pk J , e H , n H , F 1 , F 2 , F 3 ).F utilizes (e H , n H ) as the public key of H of the system.F will simulate the system such that A can query F to get tickets.If A can output q F + 1 tickets after querying F q F times, we can succeed in one-more forgery to break the unforgeability of the FDH-RSA blind signature scheme.Here, we just show how to simulate the ticket requesting protocol of Section 3.3.The simulation of the ticket using protocol in Section 3.4 is similar to that of the protocol in Section 3.3.When A submits a query (α i , θ i ) to F, F will return (t i , ρ i , γ i ) to A. F is depicted in Figure 7. Finally, A outputs q F + 1 tickets (s i , m i , δ i , σ i , γ i ) where m i = m i , δ i = δ i , σ i = σ i , and 1 ≤ i = i ≤ q F + 1.The outputted tickets can be categorized into two subsets S T and S T where |S T | = q 1 and |S T | = q 2 .For each ticket (s j , m j , δ j , σ j , γ j ) in S T , (δ j , σ j ) is in L where 1 ≤ j ≤ q 1 , i.e., the tickets in S T are queried from F. On the other hand, each ticket in S T is forged by A. We say that A successfully breaks our scheme if (1) q 1 + q 2 = q F + 1; (2) q 1 ∈ [0, q F ]; and (3) q 2 ∈ [1, q F + 1].In the followings, we will show that we can obtain (q F + q 1 + 2q 2 ) signatures by querying S D (2q F + q 2 ) times where (q F + q 1 + 2q 2 ) − (2q F + q 2 ) = q 1 + q 2 − q F = 1.First, according to the above simulation, we can get q F signatures (s during the simulation.For the tickets (s j , m j , δ j , σ j , γ j )'s in S T , we can obtain q 1 signatures (s α j , F 1 (m j )) by retrieving s β j from L via (δ j , σ j ) and then computing s α j = s j (s β j ) −1 mod n H where s e H α j ≡ F 2 1 (m j ) (mod n H ) with 1 ≤ j ≤ q 1 .For the tickets (s j , m j , δ j , σ j , γ j )'s in S T , we can get q 2 signatures (ŝ α j , F 1 (m j ))'s and q 2 signatures (ŝ β j , δ j , σ j , γ j )'s by the following procedure where 1 ≤ j ≤ q 2 .We first randomly select bj ∈ {0, 1} l r and compute βj = be H j F 2 (δ j , σ j , γ j ) mod n H . Then we send βj to S D and obtains tβ j .Finally, we compute ŝβ j = tβ j ( bj ) −1 mod n H and ŝα j = s j (ŝ Consequently, we query S D (2q F + q 2 ) times and obtain (q F + q 1 + 2q 2 ) signatures.We succeed in one-more forgery to break the FDH-RSA blind signature scheme.

Tamper Resistance
In our scheme, the information (δ, σ, γ) of a ticket is used for anonymity control, charging, and recording the due date of the ticket, respectively.In this subsection, we will show that none can tamper (δ, σ, γ) of a ticket.First, we introduce a problem called the alternative formulation of RSA Known-Target Inversion (RSA-AKTI) Problem [20] which has been proved being hard by Bellare et al.

Definition 4 (RSA AKTI).
Let k ∈ N be the security parameter.Let A be an adversary which can access the RSA-inversion oracle O inv and the challenge oracle O N .The challenge oracle O N will randomly return y i ∈ Z * n H when it is queried.Consider the following experiment: In the ticket requesting protocol (Section 3.3) and the ticket using protocol (Section 3.4), if λ tickets are requested, the system side (the judge device) will generate (δ i , σ i , γ i ) for each ticket where 1 ≤ i ≤ λ.Here, we define ticket tampering below.
Theorem 3. The proposed scheme is secure against Ticket Tampering if the RSA-AKTI problem is hard.
Proof.The model of this proof is shown in Figure 8.There exist a simulator S and an attacker A T R in this model.S will simulate the environment of our proposed scheme in the random oracle model.S engages in the proposed scheme to generate the key pair (pk J , sk J ) of the judge and creates two oracles O F 1 and O F 2 .S can query the oracles O N and O inv defined in Definition 4. A TR will query O F 1 and O F 2 for the hashed values of the hash functions F 1 and F 2 , respectively.There are two lists L F 1 and L F 2 .L F 1 will be used to store (m, τ) where F 1 (m) = τ e H mod n H and L F 2 will be used to record (δ, σ, γ, π) where F 2 (δ, σ, γ) = π.A TR can query S at most λ 1 times, O F 1 at most λ 2 times, and O F 2 at most λ 3 times.S, O F 1 , and O F 2 are described in Figure 9. Before A TR queries S, S initializes the environment by publishing (n H , e H , pk J ), setting i guess = 0, and guessing a number λ where 1 ≤ λ ≤ λ 3 .S guesses that A TR will successfully output a tampered ticket as (s, m, δ, σ, γ) such that 3-tuple (δ, σ, γ) is not produced by S, i.e., (δ, σ, γ) / ∈ (δ i , σ i , γ i ) for each i with 1 ≤ i ≤ λ 1 , where the value of F 2 (δ, σ, γ) is obtained from O F 2 at the λ th query to O F 2 .As shown in Figure 9, when A TR submits a query (α i , θ i ) to S, S will send If A TR successfully outputs a tampered ticket (s, m, δ, σ, γ) after λ 1 queries to S with probability at least TR , we can obtain x λ 1 +1 ≡ (c ) d H (mod n H ) with probability at least TR ≥ TR λ 3 by the following procedure.

1.
Search L F 1 by m and get entry (m, τ ).Consequently, S queries O N (λ 1 + 1) times, and O inv λ 1 times, and then we can obtain (x 1 , . . ., x λ 1 ) from L and x λ 1 +1 such that x e H i ≡ c i (mod n H ) and x e H λ 1 +1 ≡ c (mod n H ) where 1 ≤ i ≤ λ 1 .We successfully solve the RSA-AKTI problem with non-negligible probability at least TR .

Ticket Swindling Resistance
In our scheme, a mobile user has to show T = (F 1 (m * ), δ * , σ * , γ, s * ) for authentication.In this subsection, we will prove that none can successfully pass authentication via an eavesdropped T. We call this Ticket Swindling Resistance.In order to prove this, we first introduce the communication model and some definitions as follows.
The Communication Model.We briefly describe the communication model [21,22] of our distributed environment.Oracle Π u MS i ,V j models that a mobile user MS i performs the anonymous authentication protocol of Section 3.4 with the entity V j in the uth session of MS i .Oracle Π v V j ,MS i models that a system entity V j performs the protocol with the mobile user MS i in the vth session of V j .An adversary E is a probabilistic polynomial-time Turing machine that is allowed to make the following queries.
This query models all kinds of passive attacks.MS i and V j will carry out the protocol of Section 3.4 and the adversary E can eavesdrop all messages transmitted between MS i and V j .
This query models all kinds of active attacks.The adversary E can send any message M to Π u MS i ,V j or Π v V j ,MS i which will give responses to E according to the protocol of Section 3.4.E can make the query Send(Π u MS i ,V j , N ) to get a response of the first flow where N is an empty string.
This query allows the adversary to get the session key of have successfully finished mutual authentication and established a common session key.
• Reveal(T): This query allows the adversary to obtain the secret value m if T has been successfully consumed for authentication where T = (F 1 (m), δ, σ, γ, s).

•
Corrupt(V j ): This query reveals V j 's long-term key sk V j .
In our protocol, once a mobile user consumes her/his T for authentication, T will be kept in the system's database for double-using checking.Hence, a successfully-used T cannot be consumed again by any eavesdropper.Any attacker can just try to swindle an eavesdropped T which has not been successfully used, i.e., the attacker has to interfere the authentication process after she/he obtains T in the first flow of the authentication protocol in Section 3.4.We define Ticket Swindling below.Definition 6 (The Ticket Swindling Game).Let k ∈ N be the security parameter.A TS is a polynomial time adversary who tries to swindle an eavesdropped T. Consider the following experiment: 2. T is outputted from Π u MS i ,V j 3. r 5 has never been outputted by Π u MS i ,V j 4. A TS has never made Reveal(T) and Corrupt(V j ) queries The advantage of A TS is Adv TS . We say that our scheme satisfies Ticket Swindling Resistance if Adv TS A TS (k) is negligible.Besides, we define the following Indistinguishability Game under the Chosen-Ciphertext Attack (IND-CCA) based on [23].

Definition 7 (IND-CCA).
Let k ∈ N be the security parameter.C is a challenger and F is a polynomial time adversary.P is an asymmetric cryptosystem with semantic security where the public-private key pair is (pk, sk).There are two oracles O E and O D .F can query O E to encrypt a plaintext by pk and query O D to decrypt a ciphertext by sk.Consider the following experiment: If the followings are both true return 1 else return 0 1.F never submits the query We also introduce the RSA Single-Target Inversion Problem (RSA-STI) [20] as follows.does not know x and sets F 3 (r 2 ||r 4 ) = ⊥.The simulation will fail if A TS sends a query (r 2 ||r 4 ) to O F 3 .However, we will show that the probability of the above failure is negligible in Appendix.
In Figure 11, If true, this means that the current session v matches the λth Send(Π u MS i ,V j , N ) query.After finishing the simulation, S TS can retrieve (m, T) from L usedT via T guess .If m = ⊥, S TS has that T guess = T = (m = y, δ, σ, γ, s) where y = F 1 (m) = m e mod N. Thus, S TS solves the RSA-STI problem.Therefore, A TS , with non-negligible probability at least TS , can consume an eavesdropped T to successfully perform the anonymous authentication protocol of Section 3.4 with Π v V j ,MS i , S TS can solve the RSA-STI problem with non-negligible advantage at least TS q 2 .

Secure Mutual Authentication
In order to prove the security of mutual authentication in the proposed scheme, we first introduce Matching Conversations and No Matching E (k) [21,22] as follows.
Definition 9 (Matching Conversations).Fix a number of flows R = 2ρ − 1 and an R-flow protocol P = (Π, G) where Π specifies how players behave and G generates key pairs for each entity.Run P in the presence of an adversary E and consider two oracles Π u MS i ,V j and Π v V j ,MS i , that engage in conversations K and K respectively.

1.
K is a matching conversation to K if there exist and K is prefixed by and K is prefixed by Theorem 5.The protocol of Section 3.4 is a secure mutual authentication protocol.
Proof.Our authentication protocol satisfies the first condition of Definition 11, if the the adversary acts as a wire.Hence, we concentrate on the proof for the second condition.When we carry out the experiment of the communication model against E, E may succeed in the following two cases.Case 1 is that there exists an oracle Π u MS , V j which accepted, where MS i , V j / ∈ S C and S C is the set of corrupted entities, but there is no oracle Π v V j ,MS i has a matching conversation to Π u MS i ,V j .Case 2 is that there exists an oracle Π v V j ,MS i which accepted but there is no oracle Π u MS , V j has a matching conversation to Π v V j ,MS i .Suppose that E has probability 1 in Case 1 and 2 in Case 2.
Thus, we conclude that if No Mathing E (k) is non-negligible, 1 or 2 must be non-negligible.
In Case 1, E has to make Send(Π u MS i ,V j , N ) query at some time τ 0 and make Send(Π u MS i ,V j , (r 1 , r 4 )) query at some time τ 2 > τ 0 .If (r 1 , r 4 ) are valid, the state of Π u MS i ,V j will be changed as "accepted".The proof model of this case is depicted in Figure 12.In the proof model, we will construct a simulator S MA who will simulate the communication environment to E and try to break the IND-CCA defined in Definition 7. Assume that there are q 1 entities MS i 's and q 2 entities V j 's in the communication environment and E will perform Send(Π u MS i ,V j , N ) at most q 3 times with i ∈ {1, . . ., q 1 } and j ∈ {1, . . ., q 2 } where q 1 , q 2 , and q 3 are polynomials of security parameter k.There also exists an oracle O T who will play the role of H to run the protocol of Section 3.3 to issue tickets.
In Line 22 of Π u MS i ,V j in Figure 13 + (q 2 q 3 −1) + (q 2 q 3 −1) In Case 2, E has to send a valid 4-tuple (α, first and then respond a valid string r5 after receiving (r 1 , r4 . Let S T be the set of T's obtained by Π u MS i ,V j . The followings are two sub-cases when E successfully impersonates Π u MS i ,V j .

2.
T ∈ S T : In the sub-case, E successfully swindles T which is owned by Π u MS i ,V j .We have proved the security of ticket swindling resistance in Section 4.5.Consequently, the probability of that E is successful in this sub-case is also negligible.Therefore, the probability 2 is negligible.We conclude that No Matching E (k) is negligible because 1 and 2 are both negligible.

Secure Authenticated Key Exchange
First, we introduce a new query, Test(Π u MS i ,V j ).An adversary E can ask Test(Π u MS i ,V j ) query after Π u MS i ,V j has established a session key r 3 with another oracle Π v V j ,MS i .To answer this query, the oracle flips a fair coin b ← {0, 1} and then returns r k = r 3 if b = 0 and r k ∈ R {0, 1} l r if b = 1.In the following, we define an experiment which was also introduced in [15,21].Definition 12. Let k ∈ N be a security parameter.In this experiment, the adversary E will try to guess that the returned value r k from Test(Π u MS i ,V j ) query is a random string or the real session key.

Experiment Exp
We define the advantage of E is Adv GoodGuess  In Line 3 of Reveal(Π u MS i ,V j ) in Figure 15, S will abort the simulation because it cannot return the established session key.If the simulation is aborted, S will randomly guess b ∈ {0, 1}.Otherwise, after E performs Test(Π u MS i ,V j ) and outputs b , S will set b = b .Thus, S has probability in outputting a correct bit b (= b) to C where ≥ + 1 2 q 2 q 3 + q 2 q 3 −1 2q 2 q 3 = 2 +1+q 2 q 3 −1 2 ≥ q 2 q 3 is also non-negligible.

The Forward Secrecy Extension
Forward secrecy is an advanced security feature which makes the past session keys still secure even though the long-term key of a system was stolen by attackers.If a scheme is not with forward secrecy, an attacker, who has gotten the long-term key by some means, can compute all past session keys which were derived from the long-term key.
Our anonymous authentication protocol can be easily extended to own the feature of forward secrecy by adopting Diffie-Hellman key exchange protocol [24].The extended protocol is given in Figure 16.Let p be a prime and g be a generator with order q in Z * p where q is also prime and q|(p − 1).In the extended authentication protocol, when MS is preparing θ 2 , she/he randomly chooses an integer a ∈ {1, . . ., q} and compute r 3 = g a mod p.Then, MS sets θ 2 = E pk V (r 1 , r 2 , r 3 ).V prepares r 4 = g b mod p where b is randomly selected from {1, . . ., q} and sends (r 1 , r 4 ) to MS.Finally, MS computes the session key k s = r a 4 mod p and V computes k s = r b 3 mod p.In the extended version, the mobile user has to pay two more exponentiation computations, i.e., r 3 = g a mod p and k s = r b 4 mod p for completing her/his authentication.The mobile user can pre-compute r 3 = g a mod p before the communication.

The Security Proof for the Forward Secrecy Extension
First, we define Decisional Diffie-Hellman (DDH) Assumption which was introduced in [25].Definition 14 (DDH).Let p be a prime and g be a generator with prime order q in Z * p where q|(p − 1).Given (p, q, g, g a mod p, g b mod p, g c mod p), it is computationally indistinguishable to decide if c ≡ ab (mod q).After the λth Execute(Π u MS i ,V j , Π v V j ,MS i ) query, E makes Test(Π u MS i ,V j ) query and outputs a guess bit b .Then S FS can try to solve the DDH problem as follows.If b = 0, S FS decides c ≡ ab (mod q).If b = 1, S FS decides c = ab (mod q).Besides, if E does not make Test(Π u MS i ,V j ) query for the λth Execute(Π u MS i ,V j , Π v V j ,MS i ), S FS randomly chooses b ∈ {0, 1}.Assume that E has probability at least ( + 1  2 ) with non-negligible to output correct bit b .Thus, S FS has non-negligible advantage at least + 1 2 q 3 + q 3 −1 2q 3 − 1 2 = q 3 to solve the DDH assumption, i.e., Adv GoodGuessFS E (k) ≥ q 3 .

Comparisons
First, we describe some features as follows where these features are required for mobile users when they roam around the mobile networks.

1.
Hiding identity: Mobile users hide their real identities from the system operator, H and V, and eavesdroppers.

2.
No relation: It is difficult for the system to derive the relation between any two rounds of the communication of the same mobile user.

3.
Secure channels: After performing mutual authentication between an anonymous mobile user and the system operator, they must establish a shared session key for the following communication activities.4.
Fair privacy: Fair privacy contains traceability and revokeability.If a crime happens, the police can trace the identities of related anonymous mobile users or the judge can revoke their privacy.

5.
Credit-based chargeability: As mentioned in Section 3.5, the credit-based charging method is better than the debit-based one since the former (1) is the same as the practical situation in current GSM services; (2) can greatly reduce the relations between any two rounds of communication; and (3) is free from the problem of overspending.
The comparisons between our proposed scheme and the others are summarized in Table 1.In Table 1, the authors of [6] also mentioned untraceability and revokeability, but they did not realize them in their scheme.We believe that realizing untraceability and revokeability is not trivial.× ×

Performance Evaluation
In Table 2, we summarize the computation cost of the proposed protocols where E denotes the cost of a modulo exponentiation computation.Besides, we show the benchmark of Crypto++, which is a C++ class library of cryptographic computations, in Table 3 [29].The benchmark is measured by running Crypto++ on a machine with Intel Celleron 450MHz CPU under Windows 2000.Furthermore, we also list the hardware specifications of some recently popular mobile devices in Table 4 [30].In Table 4, we also implemented RSA Cryptography system to check if our proposed system is practically efficient.According to Tables 3 and 4, we can objectively say that our protocols can be implemented and efficiently executed in the present mobile devices.Consequently, our anonymous authentication protocols can be performed in a reasonable time when a mobile user takes her/his mobile device to roam over the mobile network.

Conclusions
We have proposed a mobile authentication scheme which can authenticate mobile users anonymously.When a mobile user enters the anonymity mode, she/he can perform a mutual authentication process with the system operator.The system operator can charge the anonymous user correctly according to the time she/he consumed by a credit-based method.Furthermore, if some mobile user misuses the anonymity property, the judge can revoke her/his privacy and trace her/him.
In the proposed scheme, the privacy of an honest mobile user might be broken by the system operator if the mobile user lost her/his ticket since the system operator must trace her/his used tickets in order to find the spending value of her/him.Finding a solution to cope with the problem would be the subject of an interesting research topic.q HQ q 2 + (1 − HQ )( 2 lr − 1 2 lr ) 2q HQ q 2 + q HQ q 2 − 1 2q HQ q 2 ≥ 2 HQ + 1 − HQ + q HQ q 2 − 1 2q HQ q 2 = HQ 2q HQ q 2 + 1 2 .
Thus, S HQ is an adversary F who has non-negligible advantage Adv I ND−CCA F (k) ≥ HQ 2q HQ q 2 in the IND-CCA game.

Figure 2 .
Figure 2. Overview of the proposed scheme.

Figure 3 .
Figure 3.The protocol for requesting an initial anonymous ticket.

3. 4 .
The Protocol for Using an Anonymous Ticket in the ith Round before the Due Date

Figure 4 .
Figure 4.The protocol for using an anonymous ticket in the i-th round before the due date.

Figure 5 .
Figure 5.The protocol for terminating the communication and getting a returned ticket for the next round of communication.

2 .Theorem 1 .
H generates and outputs two messages m 0 and m 1 .Step 3. Randomly pick a bit b ∈ {0, 1} and place m b and m 1−b on the private input tapes of MS 0 and MS 1 , respectively.The bit b will not be revealed to H. Step 4. H performs the protocol (Sections 3.3 or 3.4) of our scheme with MS 0 and MS 1 , respectively, to issue blinded tickets to them.Step 5.If MS 0 and MS 1 output two tickets which are (m b , δ b , σ b , γ b , s b ) and (m 1−b , δ 1−b , σ 1−b , γ 1−b , s 1−b ) on their private tapes, respectively, give the two 5-tuples in a random order to H; Otherwise, ⊥ is given to H. Step 6. H outputs b ∈ {0, 1} as the guess of b.H wins the game if b = b .Define the advantage of H as Adv Linkability H (k) = |2P[b = b] − 1| where P[b = b] denotes the probability of b = b.Definition 3 (Unlinkability).In our scheme, the protocols in Sections 3.3 and 3.4 satisfy the unlinkability property if the advantage Adv Linkability H (k) in the game of Definition 2 is negligible.If E pk J and E k are two semantic secure encryption functions, our proposed protocols in Sections 3.3 and 3.4 satisfy the unlinkability property.
)-(3) are satisfied.Hence, considering Step 6 of the game, H successes in determining b with probability 1 2 .We have that P[b = b] = 1 2 and Adv Linkability H

Figure 6 .
Figure 6.The model of the proof for unforgeability.

Figure 8 .
Figure 8.The model of the proof for Tamper Resistance.

Figure 9 .
Figure 9.The oracles in the proof of Tamper Resistance.

Figure 11 .
Figure 11.The oracle Π u MS i ,V j in the proof of Ticket Swindling Resistance.
, S MA tries to break IND-CCA as follows.If f guess = 0, S MA will guess b = 0 when r 1 = r1 , guess b = 1 when r 1 = r 1 , and randomly guess b ∈ {0, 1} when r 1 = r1 and r 1 = r 1 .If f guess = 1, S MA will randomly guess b ∈ {0, 1}.If 1 is non-negligible, S MA has non-negligible advantage Adv I ND−CCA S MA (k) to output a guess bit b such that b = b where Adv I ND−CCA

Figure 16 .
Figure 16.The proposed anonymous authentication protocol with forward secrecy.

Figure 18 .
Figure 18.The oracles of the proof of Theorem 7.
domain; V: Visiting domain; E: Eavesdroppers; NoR: Hard to derive relation between any two rounds; S: Secure channel; T: Traceability (Tracing a criminal user); R: Revokeability (Revoking the privacy of a user when necessary); : Achieving the feature; ×: Not achieving the feature; : Not realizing the feature.

Figure A2 .
Figure A2.The oracles in the proof of Theorem A1.
MS i are said to have had matching conversations if K is a matching conversation to K and K is a matching conversation to K.Definition 10 (No Matching E (k)).Let k ∈ N be the security parameter.No Matching E (k) is that when protocol P is run against an adversary E, there exists an oracle Π u MS i ,V j with MS i , V j / ∈ S C (where S C denotes the set of entities corrupted by E) which accepted but there is no oracle Π v

Table 4 .
Some popular mobile devices.
E: encrypting 256 bits of data; D: decrypting 256 bit of data.