Improved and Provably Secure ECC-Based Two-Factor Remote Authentication Scheme with Session Key Agreement

Abstract

The remote authentication scheme is a cryptographic protocol incorporated by user–server applications to prevent unauthorized access and security attacks. Recently, a two-factor authentication scheme using hard problems in elliptic curve cryptography (ECC)—the elliptic curve discrete logarithm problem (ECDLP), elliptic curve computational Diffie–Hellman problem (ECCDHP), and elliptic curve factorization problem (ECFP)—was developed, but was unable to address several infeasibility issues while incurring high communication costs. Moreover, previous schemes were shown to be vulnerable to privileged insider attacks. Therefore, this research proposes an improved ECC-based authentication scheme with a session key agreement to rectify the infeasible computations and provide a mechanism for the password change/update phase. The formal security analysis proves that the scheme is provably secure under the random oracle model (ROM) and achieves mutual authentication using BAN logic. Based on the performance analysis, the proposed scheme resists the privileged insider attack and attains all of the security goals while keeping the computational costs lower than other schemes based on the three hard problems. Therefore, the findings suggest the potential applicability of the three hard problems in designing identification and authentication schemes in distributed computer networks.

1. Introduction

Currently, more Internet users depend on user–server-based applications for e-commerce, banking services, and operational networks because of their convenience and efficiency. These applications allow users to obtain numerous services remotely at any time, anywhere. This type of communication between the user and server usually involves data transmission and financial transactions over a public channel, such as the Internet. Unfortunately, sharing sensitive information over the public channel is insecure, exposing both parties to greater security risks and attacks. Therefore, a remote authentication scheme is imperative for verifying legal users and defending against unauthorized usage.

The first password authentication scheme by Lamport [1] is called a single-factor-based scheme because the user only needs to present a password to be verified by the server. However, studies have shown that single-factor-based schemes are subjected to security pitfalls. Since then, remote authentication schemes were designed based on two or more factors to increase the systems’ security. For example, in addition to a password, the user is required to possess a registered smart card or a mobile device. For a multi-factor scheme, the user may also need to present a biometric trait such as a fingerprint.

Many two-factor smart-card-based remote authentication schemes have been proposed. Figure 1 depicts the general architecture of the two-factor authentication scheme, which consists of multiple users and a single server. In this system, the remote user must register with a valid identity and secret password with the server. Next, the server issues a legal smart card to the first-time registered user to access the required services. The smart card is employed to store the registered user’s secret credentials for future login requests and perform cryptographic computations during the authentication process.

Figure 1. Architecture of two-factor remote authentication with multiple users and a single server.

Like other cryptographic schemes and protocols, the two-factor-based authentication schemes rely on the security primitives of one-way hash functions (e.g., SHA-2 [2]) and number-theoretic computational hard problems in public-key cryptography. For instance, the works by [3,4,5] were developed based on only one-way hash functions. Other schemes were built based on the intractability of hard problems, including the integer factorization problem in RSA [6], discrete logarithm problem [7], and elliptic curve discrete logarithm problem [8,9] in elliptic curve cryptography (ECC). ECC-based schemes are more prevalent than RSA-based schemes due to the smaller key size requirement [10].

In 2008, Juang et al. [11] first proposed an ECC-based remote password authentication scheme with a session key agreement for the client–server environment. The security of their scheme depended on two hard problems in ECC: the elliptic curve discrete logarithm problem (ECDLP) and elliptic curve computational Diffie–Hellman problem (ECCDHP). They claimed that their scheme preserved all of the security merits of the scheme by Fan et al. [12] and reduced the computational cost. Subsequently, Sun et al. [13] and Li et al. [14] found weaknesses in the design of the scheme by Juang et al. [11] in terms of the password-change phase and session key distribution, the inefficiency of using two secret keys, and user anonymity. Hence, both suggested enhancements to fix the design flaws.

Several improvements by [15,16,17] were presented to overcome the problems in the Sun et al. [13] scheme to resist offline password-guessing attacks, denial-of-service attacks, smart card loss attacks, and key compromise impersonation attacks. Later, Liu and Ma [18] found that the scheme by Sun et al. [13] still lacked user untraceability and resolved the issue with an improved efficiency. Then, the scheme by Li et al. [14] was found to suffer from desynchronization attacks [17,19]. Hence, Tsai et al. [19] and Byun [20] proposed new schemes with formal security model proofs to strengthen the scheme’s security. Both schemes maintained the security of their schemes based on the hard problems of ECDLP and ECCDHP.

Wang et al. [21] proposed a two-factor authentication scheme for a ubiquitous computing environment based on ECDLP. Their scheme was shown to provide better security features and a lower computational cost. Subsequently, Wu et al. [22] showed that the scheme by Wang et al. [21] could not resist offline dictionary attacks, known session key attacks, denial-of-service attacks, and impersonation attacks using a compromised smart card. Meanwhile, Chang et al. [23] pointed out that the scheme by Wang et al. [21] did not satisfy mutual authentication and could not be incorporated using a multipurpose smart card. Hence, both [22,23] proposed new improved schemes to overcome these weaknesses.

In another study, Wang [24] found some security flaws in the design of the single-factor scheme by Islam and Biswas [25]. They developed a new scheme using smart cards with the security foundation of ECDLP, ECCDHP, and a one-way hash function. They claimed that their scheme offered resistance to impersonation attacks and improved the computational efficiency by removing the expensive bilinear pairing operation. Later, Odelu et al. [26] presented further improvements to resist the offline password attack and provide user anonymity. They proved that their scheme could withstand various security attacks and showed that it was provably secure under the random oracle model (ROM).

Other recent works have also proposed ECC-based two-factor schemes with added security features. Madhusudhan et al. [27] suggested a new scheme based on ECC and a fuzzy verifier for quick password verification. They showed that their scheme could resist replay attacks and provide security of the secret key, user untraceability, and perfect forward secrecy. Finally, Kumari et al. [28] designed a novel scheme that provides resistance against offline password-guessing attacks, lost smart card attacks, replay attacks, impersonation attacks, desynchronization attacks, and insider attacks.

1.1. Motivations and Contributions

In 2014, Qu and Tan [29] proposed a two-factor scheme based on the security of a collision-resistant one-way hash function, ECDLP, ECCDHP, and the elliptic curve factorization problem (ECFP). Later, Huang et al. [30] suggested security enhancements to overcome the offline password-guessing attack and user impersonation attack. However, in 2016, Maitra et al. [31] showed that the scheme by Huang et al. [30] was vulnerable to a new forgery attack. They also pointed out that the scheme by [30] could not be implemented in real-world problems because of some computational infeasibility issues. Later, both Chaudhry et al. [32] and Mehmood et al. [33] also suggested improvements to repel the user impersonation attack.

Although Maitra et al. [31] suggested security enhancements to the scheme by Huang et al. [30], their scheme exacted a higher computational cost compared to schemes by [29,30,32,33]. Even though the schemes designed by Chaudhry et al. [32] and Mehmood et al. [33] improved the efficiency of the scheme by Huang et al. [30], their schemes overlooked the computational infeasibility issues. In addition, their schemes did not provide a mechanism for the password change phase and were unable to withstand the privileged insider attack. Moreover, previously improved schemes by Maitra et al. [31] and Mehmood et al. [33] did not maintain all three hard problems in ECC: ECDLP, ECCDHP, and ECFP.

Therefore, this study proposes a new ECC-based two-factor remote authentication scheme based on Chaudhry et al. [32] to resolve these shortcomings. The scheme retains all of the security attributes of the scheme by Maitra et al. [31], including user traceability and efficient local password changeability. In addition, the proposed scheme is proven to withstand offline password-guessing attacks, replay attacks, privileged insider attacks, stolen-verifier attacks, and key-compromise impersonation attacks. Based on the formal security analysis, the proposed scheme is provably secure under ROM against adversary threats. Furthermore, the analysis showed that the proposed scheme is more efficient than the scheme by Maitra et al. [31].

1.2. Structure of the Article

Section 2 briefly describes the security fundamentals, adversary model, a review of Chaudhry et al. [32], and the drawbacks that are considered when developing the proposed scheme. Next, Section 3 explains the new proposed scheme. The formal security proof, informal security analysis, and formal verification using BAN logic are presented in Section 4. The proposed scheme is compared with other chosen schemes in the performance analysis according to the security and efficiency aspects given in Section 5. Then, Section 6 discusses the potential applications of the proposed scheme and future research considerations. Finally, Section 7 presents the conclusion.

2. Preliminaries

This section provides a brief overview of the mathematical concepts, formal definitions, adversary model, security goals, and BAN logic that served as the foundation in the design of the proposed scheme. Table 1 shows the notations and descriptions used in this paper.

Table 1. Notations and descriptions.

Notation	Description	Notation	Description
S	Server	P	Base point on $G_p$ of order n such that $\left[n\right]P=\mathcal{O}$ and n is the smallest integer $>0$
$U_i$	User i	${\mathbb{Z}}_n^{*}$	Multiplicative group mod n
$\mathcal{A}$	Adversary	s	Secret key, random integer such that $s\in {\mathbb{Z}}_n^{*}$
${ID}_i$	$U_i$’s identity	$P_{pub}$	Public key, $P_{pub}=\left[s\right]P\in G_p$
${pw}_i$	$U_i$’s password	$h(·)$	One-way hash function, $h:{\{0,1\}}^{*}\to {\mathbb{Z}}_n^{*}$
${SC}_i$	$U_i$’s smart card	⟹	Secure channel
p	k-bit prime number, k is at least 512 bits	⟶	Public channel
$E\left({\mathbb{F}}_p\right)$	The set of points on an elliptic curve over a finite field ${\mathbb{F}}_p$	∥	String concatenation operation
$G_p$	Additive cyclic subgroup of $E\left({\mathbb{F}}_p\right)$, where $G_p=E\left({\mathbb{F}}_p\right)\cup \left\{\mathcal{O}\right\}$	⊕	Bitwise XOR operation
$\mathcal{O}$	The point at infinity that is an identity element of $E\left({\mathbb{F}}_p\right)$

2.1. Hash Function

A cryptographic one-way function $h:{\{0,1\}}^{*}\to {\{0,1\}}^l$ has the following properties:

• The function h takes an arbitrary length input $x\in {\{0,1\}}^{*}$ and returns a fixed l-bit length message digest $y\in {\{0,1\}}^l$.
• The function h is one-way; it is trivial to compute $y=h\left(x\right)$, but computationally infeasible to find the inverse $x=h^{-1}\left(y\right)$.
• The function h is collision-resistant; it is computationally infeasible to find two inputs $x_1\ne x_2$ such that $h\left(x_1\right)=h\left(x_2\right)$.

Examples of secure hash algorithms, such as the SHA-2 family of hash functions [2], can be adopted in the proposed scheme.

Definition 1. 

An adversary $\mathcal{A}$’s advantage in finding a collision is the probability of $\mathcal{A}$ selecting the pair $(x_1,x_2)$ at random within polynomial time $t_1$ so that $x_1\ne x_2$ and $h\left(x_1\right)=h\left(x_2\right)$, defined formally as

$${Adv}_{\mathcal{A}}^{\mathcal{H}ash}\left(t_1\right)=Pr[(x_1,x_2){\Leftarrow }_R\mathcal{A}:x_1\ne x_2\wedge h\left(x_1\right)=h\left(x_2\right)].$$

(1)

If ${Adv}_{\mathcal{A}}^{\mathcal{H}ash}\left(t_1\right)\le {\epsilon }_1$, for any sufficiently small negligible function ${\epsilon }_1>0$, the one-way hash function $h(·)$ is collision-resistant.

2.2. Elliptic Curve over Finite Fields

The elliptic curve over a finite field ${\mathbb{F}}_p$ is defined as $E_p(a,b):y^2=x^3+ax+b$ (mod p), where p is prime and satisfies the condition $4a^3+27b^2\ne 0$ (mod p). If point $P\in E\left({\mathbb{F}}_p\right)$ and $k\in {\mathbb{Z}}_p^{*}$, then the elliptic point multiplication operation $\left[k\right]P$ is the repeated point addition k times on point P.

$$\left[k\right]P=\stackrel{k\mathrm{times}}{\overbrace{P+P+\cdots +P}}$$

The security of the elliptic curve cryptosystem is based on the following computational hard problems.

Definition 2. 

Given two points P, $Q(=\left[s\right]P)\in E\left({\mathbb{F}}_p\right)$, the elliptic curve discrete logarithm problem (ECDLP) is to find the integer $s\in {\mathbb{Z}}_p^{*}$. The advantage of an adversary $\mathcal{A}$ in solving the ECDLP within execution time $t_2$ is defined as

$${Adv}_{\mathcal{A}}^{\mathcal{E}CDLP}\left(t_2\right)=Pr[s\in {\mathbb{Z}}_p^{*}:P,Q=\left[s\right]P\in E\left({\mathbb{F}}_p\right)].$$

(2)

For any probabilistic polynomial time-bounded algorithm $\mathcal{A}$ and for any sufficiently small negligible function ${\epsilon }_2>0$, if ${Adv}_{\mathcal{A}}^{\mathcal{E}CDLP}\left(t_2\right)\le {\epsilon }_2$, then the ECDLP is intractable.

Definition 3. 

Given three points P, $Q(=[s\left]P\right)$, $R(=\left[t\right]P)\in E\left({\mathbb{F}}_p\right)$, the elliptic curve computational Diffie–Hellman problem (ECCDHP) is to find the point $[s·t]P\in E\left({\mathbb{F}}_p\right)$ where s, $t\in {\mathbb{Z}}_p^{*}$. The advantage of an adversary $\mathcal{A}$ in solving the ECCDHP within execution time $t_3$ is defined as

$${Adv}_{\mathcal{A}}^{\mathcal{E}CCDHP}\left(t_3\right)=Pr[[s·t]P\in E\left({\mathbb{F}}_p\right):P,Q=\left[s\right]P,R=\left[t\right]P\in E\left({\mathbb{F}}_p\right)\wedge s,t\in {\mathbb{Z}}_p^{*}].$$

(3)

For any probabilistic polynomial time-bounded algorithm $\mathcal{A}$ and for any sufficiently small negligible function ${\epsilon }_3>0$, if ${Adv}_{\mathcal{A}}^{\mathcal{E}CCDHP}\left(t_3\right)\le {\epsilon }_3$, then the ECCDHP is intractable.

Definition 4. 

Given two points P, $Q(=[s+t]P)\in E\left({\mathbb{F}}_p\right)$, the elliptic curve factorization problem (ECFP) is to find two points $\left[s\right]P,\left[t\right]P\in E\left({\mathbb{F}}_p\right)$, where s, $t\in {\mathbb{Z}}_p^{*}$. The advantage of an adversary $\mathcal{A}$ in solving the ECFP within execution time $t_4$ is defined as

$${Adv}_{\mathcal{A}}^{\mathcal{E}CFP}\left(t_4\right)=Pr[\left[s\right]P,\left[t\right]P\in E\left({\mathbb{F}}_p\right):P,Q=\left[s\right]P+\left[t\right]P\in E\left({\mathbb{F}}_p\right)\wedge s,t\in {\mathbb{Z}}_p^{*}].$$

(4)

For any probabilistic polynomial time-bounded algorithm $\mathcal{A}$ and for any sufficiently small negligible function ${\epsilon }_4>0$, if ${Adv}_{\mathcal{A}}^{\mathcal{E}CFP}\left(t_4\right)\le {\epsilon }_4$, then the ECFP is intractable.

2.3. Adversary Model

The adversary model by Dolev and Yao [34] was considered for communications over an insecure public channel, and the following assumptions were made.

• A1: An adversary $\mathcal{A}$ can trap, delete, or alter the messages transmitted over the public channel.
• A2: An adversary $\mathcal{A}$ can retrieve the information stored in the smart card using power monitoring techniques as explained in [35,36].
• A3: An adversary $\mathcal{A}$ can guess the identity or password using a dictionary attack. However, A cannot guess both the identity and password simultaneously within polynomial time [37].
• A4: An adversary $\mathcal{A}$ can be a non-registered user who tries to attack the authentication system [31].
• A5: The server is considered a trusted authority, and the adversary $\mathcal{A}$, as a privileged insider, cannot extract the server’s secret key s.

2.4. Security Goals

The following goals are defined for an ideal authentication scheme, as listed in [31,38].

• Mutual authentication: Both the server and the user can authenticate each other. No adversary can impersonate a legal user or server.
• Session key agreement: A session key should be created as the final step in the mutual authentication phase. Afterward, the communication between both parties can be encrypted using the shared session key.
• Forward secrecy: Even if the long-term private keys are compromised, the previous session keys cannot be used by any adversary to forge other session keys.
• User anonymity: A user’s identity should not be transmitted explicitly over an insecure channel. This ensures that the user’s sensitive information is protected from an adversary $\mathcal{A}$, even with the knowledge of login information or access to the server.
• User traceability: The server should be able to trace the sender of the login request message to avoid the denial-of-service attack. A database of registered users should be maintained by the server.
• Local password verification: A smart card can verify the user identity and password in the login phase before generating the login request message. This way, the smart card can reduce computational overhead by avoiding unnecessary calculations.
• Local password changeability: Users can update/change their passwords independently without the server’s assistance. The smart card must be able to detect unauthorized password update requests through the wrong input of the user identity and old password.

2.5. BAN Logic

Burrows–Abadi–Needham (BAN) logic [39] is a set of rules based on belief modal logic for analyzing authentication protocols. The notations used in BAN logic and their descriptions are provided in Table 2. Table 3 lists the BAN logic rules, descriptions, and symbolic forms that are used in proving the mutual authentication property of the proposed scheme.

Table 2. BAN logic notations and descriptions.

Notation	Description
$P\mid \equiv X$	P believes X
$P⊲X$	P sees X
$P\mid \sim X$	P once said X
$\#\left(X\right)$	Message X is fresh
${⟨X⟩}_Y$	Formula X is combined with secret Y
${\left(X\right)}_Y$	Formula X hashed with secret Y
$P\stackrel{K}{\leftrightarrow }Q$	P and Q communicate with a shared secret key K
$P\stackrel{X}{\rightleftharpoons }Q$	Only P and Q share the formula X which is a secret

Table 3. BAN logic rules, descriptions, and symbolic forms.

Rule	Description	Symbolic Form
Message-meaning rule	If P sees ${⟨X⟩}_K$ and P believes secret K is shared with Q, then P believes Q once said X.	$$\frac{P⊲{⟨X⟩}_K,P\mid \equiv \left(PKQ\right)}{P\mid \equiv Q\mid \sim X}$$
Freshness-conjuncatenation rule	If P believes X is fresh, then P believes $(X,Y)$ is fresh.	$$\frac{P\mid \equiv \#\left(X\right)}{P\mid \equiv \#(X,Y)}$$
Nonce-verification rule	If P believes X is fresh and P believes Q once said X, then P believes Q believes X.	$$\frac{P\mid \equiv \#\left(X\right),P\mid \equiv Q\mid \sim X}{P\mid \equiv Q\mid \equiv X}$$
Belief rule	If P believes X and P believes Y, then P believes $(X,Y)$.	$$\frac{P\mid \equiv X,P\mid \equiv Y}{P\mid \equiv (X,Y)}$$
Session-key rule	If P believes Q believes a necessary parameter X of the session key K and P believes X is fresh, then P believes session key K is shared with Q.	$$\frac{P\mid \equiv Q\mid \equiv X,P\mid \equiv \#\left(X\right)}{P\mid \equiv \left(PKQ\right)}$$
Session-key verification rule [40]	If P believes that X is fresh and P believes Q believes X and P believes session key K is shared with Q, then P believes Q believes session key K is shared between P and Q.	$$\frac{P\mid \equiv \#\left(X\right),P\mid \equiv Q\mid \equiv X,P\mid \equiv \left(PKQ\right)}{P\mid \equiv Q\mid \equiv \left(PKQ\right)}$$

2.6. Review of the Scheme by Chaudhry et al.

In this section, a brief description of the scheme by Chaudhry et al. [32] is presented. The authentication scheme by Chaudhry et al. [32] is an improvement of the scheme proposed by Huang et al. [30]. Their scheme consists of four phases: (1) system initialization, (2) user registration, (3) user login, and (4) mutual authentication. Figure 2 summarizes the authentication scheme by Chaudhry et al. [32]. Each of the phases is reviewed as follows.

Figure 2. Scheme by Chaudhry et al. [32] based on ECC.

(1)

System initialization phase

The Server S selects an elliptic curve $E_p(a,b)$ over ${\mathbb{F}}_p$, where p is k-bit prime, and a base point P of order n from $G_p$ of $E_p(a,b)$, where n is a large number for security purposes. Then, S computes the secret key and public key pair $(s,P_{pub})$ such that $P_{pub}=\left[s\right]P$, where s is a random integer $s\in {\mathbb{Z}}_n^{*}$. The Server S also chooses five distinct one-way hash functions $h_i:{\{0,1\}}^{*}\to {\mathbb{Z}}_p^{*}$, where $i=1,2,\dots ,5$. Finally, the Server S publishes $\{E_p(a,b),P,P_{pub},h(·)\}$ and keeps s secret.

(2)

User registration phase

In this phase, the user $U_i$ chooses an identity ${ID}_i$, a password ${pw}_i$, and a random integer $b_i$. Then, the user $U_i$ computes ${hpw}_i=h_1({ID}_i\parallel {pw}_i\parallel b_i)$ and sends $\{{ID}_i,{hpw}_i\}$ to S through a secure channel. Next, the Server S computes ${CID}_i=h_1({ID}_i\oplus s)$, ${AID}_i=[{CID}_i+{hpw}_i]P$, and ${BID}_i=h_2(h_1\left({ID}_i\right)·{hpw}_i)$. The Server S stores $\{{AID}_i,{BID}_i\}$ into the smart card ${SC}_i$ and issues the card securely to $U_i$. Once the user $U_i$ receives the smart card ${SC}_i$, the user will update the value $b_i$ into ${SC}_i$. Hence, the smart card ${SC}_i=\{{AID}_i,{BID}_i,b_i\}$.

(3)

User login phase

In the login phase, the registered user $U_i$ inserts the smart card ${SC}_i$ into a remote terminal and enters the identity and password, $\{{ID}_i,{pw}_i\}$. Next, the smart card ${SC}_i$ computes ${hpw}_i=h_1({ID}_i\parallel {pw}_i\parallel b_i)$ and ${BID}_i^{\prime }=h_2(h_1\left({ID}_i\right)·{hpw}_i)$, and checks if the equation ${BID}_i^{\prime }={BID}_i$ holds. Otherwise, the login phase is aborted. Then, the smart card ${SC}_i$ selects a random integer $r_i$ and computes $R_i=\left[r_i\right]P$, $M_i=\left[r_i\right]P_{pub}$, ${TID}_i={AID}_i-\left[{hpw}_i\right]P$, ${DID}_i={ID}_i\oplus M_i$, and ${EID}_i=h_3(h_4({TID}_i\parallel M_i)\parallel R_i\parallel M_i)$. The smart card ${SC}_i$ submits the login request message $\{{DID}_i,{EID}_i,R_i\}$ to S through a public channel.

(4)

Mutual authentication phase

Once the Server S receives the login request message, it computes $M_i^{\prime }=\left[s\right]R_i$, ${ID}_i^{\prime }={DID}_i\oplus M_i^{\prime }$, ${CID}_i^{\prime }=h_1({ID}_i^{\prime }\oplus s)$, ${TID}_i^{\prime }=\left[{CID}_i^{\prime }\right]P$, and ${EID}_i^{\prime }=h_3(h_4({TID}_i^{\prime }\parallel M_i^{\prime })R_i\parallel M_i^{\prime })$, and checks if the equation ${EID}_i^{\prime }={EID}_i$ holds. If the equation does not hold, the login request is rejected. Otherwise, the Server S generates a random integer $r_s$ and computes $R_s=\left[r_s\right]R_i$, $Z_s=R_s\oplus M_i^{\prime }$, and $H_s=h_3({EID}_i^{\prime }\parallel R_s\parallel {TID}_i)$, and sends the response message $=\{Z_s,H_s\}$ to $U_i$ through the public channel.

After receiving the response message, the user $U_i$ computes $R_s^{\prime }=Z_s\oplus M_i$, and $H_s^{\prime }=h_3({EID}_i\parallel R_s^{\prime }\parallel {TID}_i)$, and checks if $H_s^{\prime }=H_s$ holds. If the equation does not hold, the user $U_i$ disconnects from S. Otherwise, the user $U_i$ computes $H_i=h_2(M_i\parallel R_s^{\prime })$ and sends the message $=\left\{H_i\right\}$ to S. Next, the Server S computes $H_i^{\prime }=h_2(M_i^{\prime }\parallel R_s)$ and checks if $H_i^{\prime }=H_i$. If the equation holds, the user $U_i$ and the Server S achieve mutual authentication and agree on the session key $Sk=h_5(M_i\parallel R_s\parallel R_i\parallel {TID}_i)$. Otherwise, the session is terminated.

2.7. Drawbacks of Scheme by Chaudhry et al.

This section highlights the security drawbacks of the scheme by Chaudhry et al. [32].

(1)

Computational infeasibility

During the mutual authentication phase, once the Server S has verified the equation ${EID}_i^{\prime }={EID}_i$, it then computes the value $Z_s=R_s\oplus M_i^{\prime }=\left[r_s\right]R_i\oplus \left[s\right]R_i$. Then, the user retrieves the value of $R_S^{\prime }$ as $R_s^{\prime }=Z_s\oplus M_i=(\left[r_s\right]R_i\oplus \left[s\right]R_i)\oplus \left[r_i\right]P_{pub}$. However, the XOR operation is undefined on the elliptic curve since it is not a closed operation under the elliptic curve group. The undefined XOR operation on two elliptic curve points was highlighted by Maitra et al. [31] as a drawback of the scheme by Huang et al. [30]. However, Chaudhry et al. [32] did not address the issue in the modification of their scheme. Hence, their scheme maintained the infeasible computations of the scheme by Huang et al. [30].

(2)

Weakness to privileged insider attack

Consider an adversary $\mathcal{A}$ being a privileged insider who can monitor data transmission over a secure channel. In the registration phase of the scheme by Chaudhry et al. [32], the user $U_i$ submits $\{{ID}_i,{hpw}_i\}$ to the Server through a secure channel. Hence, $\mathcal{A}$ has access to ${ID}_i$ and ${hpw}_i$. If $\mathcal{A}$ possesses a lost/stolen smart card ${SC}_i$, then it is possible for $\mathcal{A}$ to launch an offline password-guessing attack. For example, assume that $\mathcal{A}$ has the values ${ID}_i$, ${hpw}_i$, and $\{{AID}_i,{BID}_i,b_i\}$ retrieved from ${SC}_i$ by Assumption A2. Then, $\mathcal{A}$ can obtain the correct password ${pw}_i$ by checking the equation ${hpw}_i=h({ID}_i\parallel {pw}_i\parallel b_i)=h({ID}_i\parallel {\widetilde{pw}}_i\parallel b_i)$, where ${\widetilde{pw}}_i$ is the guessed password. Therefore, the scheme by Chaudhry et al. [32] cannot resist the privileged insider attack.

(3)

Unable to trace user

After receiving the login request message $\{{DID}_i,{EID}_i,R_i\}$, the Server computes all of the values $M_i^{\prime }$, ${ID}_i^{\prime }$, ${CID}_i^{\prime }$, and ${TID}_i^{\prime }$ straight away before verifying the value ${EID}_i^{\prime }$. Based on discussions in [31], the Server was shown to be vulnerable to forgery attacks because it is unable to check if the login request comes from a registered user. Maitra et al. [31] also highlighted that the user untraceability feature is undesirable since the Server cannot provide user-specific services. In the scheme by Chaudhry et al. [32], the Server did not save any information about the registered users; therefore, it cannot trace the sender of the login request message.

(4)

No mechanism for password change/update

In the scheme by Chaudhry et al. [32], they rectified the computation of ${AID}_i$ during the user registration phase to overcome the user impersonation attack. Specifically, the value ${AID}_i$ was computed as ${AID}_i=[{CID}_i+{hpw}_i]P=[h_1({ID}_i\oplus s)+h_1({ID}_i\parallel {pw}_i\parallel b_i\left)\right]P$. Note that the value of ${AID}_i$ is stored in the memory of the smart card ${SC}_i$ and its value depends on the password ${pw}_i$ and random integer $b_i$. Consequently, the corresponding computation for the new value of ${AID}_i^{*}$ should also be rectified when a user changes/updates a new password ${pw}_i^{*}$ and new random integer $b_i^{*}$. However, the password change/update phase was not discussed. Therefore, their scheme did not provide a mechanism for the password change/update.

3. Proposed Scheme

This section presents the proposed ECC-based two-factor remote authentication scheme. Following the scheme by [32], the Server acts as a trusted authority that is responsible for preparing the global parameters and public and secret keys, as well as issuing smart cards to newly registered users. The proposed scheme also incorporates timestamps to verify the freshness of transmitted messages, similar to the design by [31]. Generally, the scheme consists of five phases: (1) system initialization, (2) user registration, (3) user login, (4) mutual authentication, and (5) password change/update. Figure 3 presents an overview of the proposed scheme.

Figure 3. The proposed ECC-based remote user password authentication scheme.

3.1. System Initialization Phase

• The Server S selects an elliptic curve $E_p(a,b)$ over ${\mathbb{F}}_p$, where p is k-bit prime and a base point P of order n from $G_p$ of $E_p(a,b)$, where n is a large number for security purposes.
• The Server S computes the secret key and public key pair $(s,P_{pub})$ such that $P_{pub}=\left[s\right]P$, where s is a random integer $s\in {\mathbb{Z}}_n^{*}$.
• The Server S chooses a cryptographic one-way hash function $h:{\{0,1\}}^{*}\to {\mathbb{Z}}_n^{*}$.
• The Server S publishes $\{E_p(a,b),P,P_{pub},h(·)\}$ and keeps s secret.

3.2. User Registration Phase

A new user must register with the Server S before requesting access to the services. The registration phase is detailed as follows:

• The user $U_i$ chooses an identity ${ID}_i$ and password ${pw}_i$, and generates a random integer $b_i\in {\mathbb{Z}}_n^{*}$. Then, the user $U_i$ computes ${hpw}_i=h({pw}_i\parallel b_i)$ and sends $\{{ID}_i,{hpw}_i\}$ to S through a secure channel.
• The Server S computes ${CID}_i=h({ID}_i\oplus s)$ and checks the availability of ${CID}_i$. If the value ${CID}_i$ is in the database of registered users, the user $U_i$ will be asked to input a new ${ID}_i$. Otherwise, the Server stores ${CID}_i$ into the database. Following the approach taken by [31], this step is added to allow S to trace the user during the login phase.
• The Server S computes ${AID}_i=[{CID}_i+{hpw}_i]P$, ${BID}_i=h(h\left({ID}_i\right)\oplus {hpw}_i)$, stores $\{{AID}_i,{BID}_i\}$ into the smart card ${SC}_i$, and issues the card securely to $U_i$.
• Once the user $U_i$ receives the smart card ${SC}_i$, the user computes ${\widehat{b}}_i=h({ID}_i\parallel {pw}_i)\oplus b_i$ and stores the value ${\widehat{b}}_i$ into ${SC}_i$. Hence, the smart card ${SC}_i=\{{AID}_i,{BID}_i,{\widehat{b}}_i\}$.

3.3. User Login Phase

In the login phase, a user $U_i$ submits a login request message to the Server S for access to the system. First, the user $U_i$ inserts the smart card ${SC}_i$ into a remote terminal and enters the identity and password, $\{{ID}_i^{\prime },{pw}_i^{\prime }\}$. The ${SC}_i$ executes the following steps.

• The smart card ${SC}_i$ computes $b_i^{\prime }={\widehat{b}}_i\oplus h({ID}_i^{\prime }\parallel {pw}_i^{\prime })$, ${hpw}_i^{\prime }=h({pw}_i^{\prime }\parallel b_i^{\prime })$, and ${BID}_i^{\prime }=h(h\left({ID}_i^{\prime }\right)\oplus {hpw}_i^{\prime })$, and checks if ${BID}_i^{\prime }={BID}_i$ holds. If the equation holds, then $U_i$ has entered the correct identity and password, ${ID}_i^{\prime }={ID}_i$ and ${pw}_i^{\prime }={pw}_i$, respectively. Otherwise, the login phase is aborted.
• The smart card ${SC}_i$ selects a random integer $r_i\in {\mathbb{Z}}_n^{*}$ and computes $R_i=\left[r_i\right]P=(x_{Ri},y_{Ri})\in G_p$, where $x_{Ri}$ and $y_{Ri}$ are the x-component and y-component of the point $R_i$, respectively.
• The smart card ${SC}_i$ computes $M_i=\left[r_i\right]P_{pub}=(x_{Mi},y_{Mi})\in G_p$, ${TID}_i={AID}_i-\left[{hpw}_i\right]P=(x_{Ti},y_{Ti})\in G_p$, ${DID}_i={ID}_i\oplus y_{Mi}$, and ${EID}_i=h(x_{Ti}\parallel x_{Mi}\parallel T_{i1})$, where $T_{i1}$ is the timestamp of $U_i$’s login request submission.
• The smart card ${SC}_i$ submits the login request message $=\{{DID}_i,{EID}_i,R_i,T_{i1}\}$ to S through a public channel.

3.4. Mutual Authentication Phase

Once the Server S receives the login request message at time $T_{s1}$, it proceeds with the following steps.

• The Server S checks if $(T_{s1}-T_{i1})\le \Delta T$, where $\Delta T$ is the allowed time transmission delay. If the time difference does not hold, the login request is rejected.
• The Server S computes $M_i^{\prime }=\left[s\right]R_i=(x_{Mi}^{\prime },y_{Mi}^{\prime })\in G_p$ in order to retrieve the identity ${ID}_i^{\prime }={DID}_i\oplus y_{Mi}^{\prime }$ and ${CID}_i^{\prime }=h({ID}_i^{\prime }\oplus s)$. Then, the Server S checks the validity of ${ID}_i^{\prime }$ by searching the value of ${CID}_i^{\prime }$ in the registered users’ database. If ${CID}_i^{\prime }$ is not in the database, the login request is rejected.
• The Server S computes ${TID}_i^{\prime }=\left[{CID}_i^{\prime }\right]P=(x_{Ti}^{\prime },y_{Ti}^{\prime })\in G_p$ and ${EID}_i^{\prime }=h(x_{Ti}^{\prime }\parallel x_{Mi}^{\prime }\parallel T_{i1})$, and checks if ${EID}_i^{\prime }={EID}_i$ holds. If the equation does not hold, the login request is rejected.
• The Server S generates a random integer $r_s\in {\mathbb{Z}}_n^{*}$, computes $R_s=\left[r_s\right]R_i=(x_{Rs},y_{Rs})\in G_p$, $Z_s=R_s+M_i^{\prime }$, and $H_s=h({EID}_i^{\prime }\parallel x_{Rs}\parallel T_{s1}\parallel x_{Ti}^{\prime })$, and sends the response message $=\{Z_s,H_s,T_{s1}\}$ to $U_i$ through the public channel.
• Once the user $U_i$ receives the response message at time $T_{i2}$, the user $U_i$ checks if $(T_{i2}-T_{s1})\le \Delta T$. If the time difference does not hold, the user $U_i$ disconnects from the Server S.
• The user $U_i$ computes $R_s^{\prime }=Z_s-M_i=(x_{Rs}^{\prime },y_{Rs}^{\prime })\in G_p$, and $H_s^{\prime }=h({EID}_i\parallel x_{Rs}^{\prime }\parallel T_{s1}\parallel x_{Ti})$, and checks if $H_s^{\prime }=H_s$ holds. If the equation does not hold, the user $U_i$ disconnects from S.
• The user $U_i$ computes $H_i=h(x_{Mi}\parallel x_{Rs})$ and sends the message $=\{H_i,T_{i2}\}$ to S.
• The Server S checks if $(T_{s2}-T_{i2})\le \Delta T$. If the time difference does not hold, the session is terminated.
• The Server S computes $H_i^{\prime }=h(x_{Mi}^{\prime }\parallel x_{Rs})$ and checks if $H_i^{\prime }=H_i$. If it holds, the user $U_i$ and the Server S achieve mutual authentication and agree on the session key ${Sk}_{us}=h(y_{Ri}\parallel y_{Rs}^{\prime }\parallel y_{Mi}\parallel y_{Ti}\parallel T_{i2}\parallel T_{s1})=h(y_{Ri}\parallel y_{Rs}\parallel y_{Mi}^{\prime }\parallel y_{Ti}^{\prime }\parallel T_{i2}\parallel T_{s1})={Sk}_{su}$. Otherwise, the session is terminated.

3.5. Password Change/Update Phase

The user $U_i$ can change or update the password during this phase by initially inserting the smart card ${SC}_i$ into a remote terminal with the identity and password $\{{ID}_i^{\prime },{pw}_i^{\prime }\}$. Then, the smart card performs the following steps.

• The smart card ${SC}_i$ computes $b_i^{\prime }={\widehat{b}}_i\oplus h({ID}_i^{\prime }\parallel {pw}_i^{\prime })$, ${hpw}_i^{\prime }=h({pw}_i^{\prime }\parallel b_i^{\prime })$, and ${BID}_i^{\prime }=h(h\left({ID}_i^{\prime }\right)\oplus {hpw}_i^{\prime })$, and checks if ${BID}_i^{\prime }={BID}_i$. If the equation is true, the smart card ${SC}_i$ asks the user $U_i$ to submit a new password ${pw}_i^{*}$. Otherwise, the request is rejected.
• Once the user $U_i$ enters the new password ${pw}_i^{*}$, the smart card ${SC}_i$ generates a new random integer $b_i^{*}\in {\mathbb{Z}}_n^{*}$ and computes the new values ${\widehat{b}}_i^{*}=h({ID}_i\parallel {pw}_i^{*})\oplus b_i^{*}$, ${hpw}_i^{*}=h({pw}_i^{*}\parallel b_i^{*})$, ${AID}_i^{*}={AID}_i+[{hpw}_i^{*}-{hpw}_i]P$, and ${BID}_i^{*}=h(h\left({ID}_i\right)\oplus {hpw}_i^{*})$.
• Finally, the smart card ${SC}_i$ updates the values as ${SC}_i=\{{AID}_i^{*},{BID}_i^{*},{\widehat{b}}_i^{*}\}$.

3.6. Proof of Correctness

The propositions and proof of correctness are presented below for the sake of completeness.

Proposition 1. 

If the user $U_i$ enters the identity and password $\{{ID}_i,{pw}_i\}$ correctly, and the user login phase and Steps 1-2 of the mutual authentication phase run smoothly, then the Server S will obtain the correct ${TID}_i^{\prime }={TID}_i$, which is shown as follows.

$$\begin{array}{cc}\hfill {TID}_i& ={AID}_i-\left[{hpw}_i\right]P\hfill \\ \hfill & =[{CID}_i+{hpw}_i]P-\left[{hpw}_i\right]P\hfill \\ \hfill & =\left[{CID}_i\right]P+\left[{hpw}_i\right]P-\left[{hpw}_i\right]P\hfill \\ \hfill & =\left[{CID}_i\right]P\hfill \\ \hfill & =\left[{CID}_i^{\prime }\right]P,{CID}_i={CID}_i^{\prime }\mathrm{in}\mathrm{Database}\hfill \\ \hfill & ={TID}_i^{\prime }\hfill \end{array}$$

Proposition 2. 

Assume that the user $U_i$ receives the response message from the Server S and passes the timestamp check in Step 5 of the mutual authentication phase. The equation in Step 6 will retrieve the correct $R_s^{\prime }$ value as follows.

$$\begin{array}{cc}\hfill R_s^{\prime }& =Z_s-M_i\hfill \\ \hfill & =(R_s+M_i^{\prime })-\left[r_i\right]P_{pub}\hfill \\ \hfill & =(R_s+\left[s\right]R_i)-\left[r_i\right]P_{pub}\hfill \\ \hfill & =R_s+\left[s\right]\left[r_i\right]P-\left[r_i\right]\left[s\right]P\hfill \\ \hfill & =R_s\hfill \end{array}$$

Proposition 3. 

If the user $U_i$ enters the correct identity and password $\{{ID}_i,{pw}_i\}$, and the equation ${BID}_i^{\prime }={BID}_i$ holds, the smart card ${SC}_i$ can compute the new value ${AID}_i^{*}$ without the knowledge of ${CID}_i$, which is shown as follows.

$$\begin{array}{cc}\hfill {AID}_i^{*}& ={AID}_i+[{hpw}_i^{*}-{hpw}_i]P\hfill \\ \hfill & =[{CID}_i+{hpw}_i]P+[{hpw}_i^{*}-{hpw}_i]P\hfill \\ \hfill & =\left[{CID}_i\right]P+\left[{hpw}_i\right]P+\left[{hpw}_i^{*}\right]P-\left[{hpw}_i\right]P\hfill \\ \hfill & =[{CID}_i+{hpw}_i^{*}]P\hfill \end{array}$$

4. Security Analysis of the Proposed Scheme

This section analyzes the security aspect of the proposed scheme. First, the formal security proof is presented based on the ROM using the proof by contradiction technique, which is similar to [26,32,33]. Next, the attainment of security goals is discussed. Then, the proposed scheme is shown to withstand several identified security attacks. Finally, the formal verification of the scheme using BAN logic is provided to prove the mutual authentication property.

4.1. Formal Security Analysis

The formal proof demonstrates that the proposed scheme is provably secure against an adversary $\mathcal{A}$ from obtaining the identity ${ID}_i$, secret key s, and shared session key ${Sk}_{us}(={Sk}_{su})$. In this approach, a mathematical proof is presented to show that the security of the proposed scheme is reduced to the ability of the adversary to break four computationally intractable problems: the collision-resistant one-way hash function, ECDLP, ECCDHP, and ECFP.

The formal proof begins by assuming the adversary $\mathcal{A}$ knows the values for the parameters $\{{AID}_i,{BID}_i,{\widehat{b}}_i\}$ stored in the smart card, and the messages $\{{DID}_i,{EID}_i,R_i,T_{i1}\}$, $\{Z_s,H_s,T_{s1}\}$, and $\{H_i,T_{i2}\}$ transmitted in the public channel, as described in the adversary model in Section 2.3. In addition, the adversary $\mathcal{A}$ is assumed to have access to the following oracles.

• ${\mathcal{O}}_{\mathcal{H}ash}$: Given the input $h\left(x\right)$, the oracle yields the output x.
• ${\mathcal{O}}_{\mathcal{E}CDLP}$: Given the input P and $Q=\left[a\right]P$, the oracle yields the output a.
• ${\mathcal{O}}_{\mathcal{E}CCDHP}$: Given the input P, $Q=\left[a\right]P$, and $R=\left[b\right]P$, the oracle yields the output $[a·b]P$.
• ${\mathcal{O}}_{\mathcal{E}CFP}$: Given the input P and $Q=\left[a\right]P+\left[b\right]P=[a+b]P$, the oracle yields the output $\left[a\right]P$ and $\left[b\right]P$.

Theorem 1. 

Assuming that the cryptographic one-way hash function $h(·)$ acts like a true random oracle, and ECDLP, ECCDHP, and ECFP are computationally intractable problems, then the proposed ECC-based authentication scheme is provably secure against an adversary $\mathcal{A}$ for deriving the identity ${ID}_i$, secret key s, and session key ${Sk}_{us}(={Sk}_{su})$.

 Proof. 

Suppose an adversary $\mathcal{A}$ is constructed to derive the identity ${ID}_i$, secret key s, and session key ${Sk}_{us}(={Sk}_{su})$ by running the algorithm ${ALG}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}$, as shown in Algorithm 1 for the proposed ECC-based scheme. Based on Assumptions A1 and A2 in Section 2.3, the adversary $\mathcal{A}$ can obtain the transmitted messages $\{{DID}_i,{EID}_i,R_i,T_{i1}\}$, $\{Z_s,H_s,T_{s1}\}$, and $\{H_i,T_{i2}\}$, and the parameters $\{{AID}_i,{BID}_i,{\widehat{b}}_i\}$ stored in the smart card. Then, the success probability of ${ALG}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}$ is given as ${Succ}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}=2Pr[{Adv}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}=1]-1$. The advantage for the ${ALG}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}$ is the maximum of the success probability taken over all $\mathcal{A}$ with execution time t, ${Adv}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}(t,q_1,q_2,q_3,q_4)=ma{x}_{\mathcal{A}}\left\{{Succ}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}\right\}$, where $q_1$, $q_2$, $q_3$, and $q_4$ denote the number of queries made to oracles ${\mathcal{O}}_{\mathcal{H}ash}$, ${\mathcal{O}}_{\mathcal{E}CDLP}$, ${\mathcal{O}}_{\mathcal{E}CCDHP}$, and ${\mathcal{O}}_{\mathcal{E}CFP}$, respectively.

Algorithm 1 ${ALG}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}$ for deriving identity ${ID}_i$, secret key s, and session key ${Sk}_{us}(={Sk}_{su})$.

1: Eavesdrop the login message $\{{DID}_i,{\left(EID\right)}_i,R_i,T_{i1}\}$

2: Call ${\mathcal{O}}_{\mathcal{H}ash}$ on input ${EID}_i=h(x_{Ti}\parallel x_{Mi}\parallel T_{i1})$ to obtain $(x_{Ti}^{★}\parallel x_{Mi}^{★}\parallel T_{i1}^{★})\leftarrow {\mathcal{O}}_{\mathcal{H}ash}\left({EID}_i\right)$

3: Call ${\mathcal{O}}_{\mathcal{E}CCDHP}$ on input $P_{pub}$, $R_i$, and P to obtain $M_i^{★★}$ as $(M_i^{★★}=(x_{Mi}^{★★},y_{Mi}^{★★}))\leftarrow {\mathcal{O}}_{\mathcal{E}CCDHP}(P_{pub},R_i,P)$

4: if $x_{Mi}^{★}=x_{Mi}^{★★}$then

5:  Call ${\mathcal{O}}_{\mathcal{E}CFP}$ on input ${AID}_i$ and P to obtain ${TID}_i^{★★}$ and ${\left(\left[{hpw}_i\right]P\right)}^{★}$ as $({TID}_i^{★★}=(x_{Ti}^{★★},y_{Ti}^{★★}),{\left(\left[{hpw}_i\right]P\right)}^{★})\leftarrow {\mathcal{O}}_{\mathcal{E}CFP}({AID}_i,P)$

6:  if $x_{Ti}^{★}=x_{Ti}^{★★}$ then

Compute ${ID}_i^{★}={DID}_i\oplus y_{Mi}^{★}$

8:           Compute ${EID}_i^{★}=h(x_{Ti}^{★}\parallel x_{Mi}^{★}\parallel T_{i1})$

9:        if ${EID}_i^{★}={EID}_i$ then

10:           Accept ${ID}_i^{★}$ as the correct user’s identity

11:           Call ${\mathcal{O}}_{\mathcal{E}CDLP}$ on input ${TID}_i^{★}$ and P to obtain ${CID}_i^{★}$ as $\left({CID}_i^{★}\right)\leftarrow {\mathcal{O}}_{\mathcal{E}CDLP}({TID}_i^{★},P)$

12:           Call ${\mathcal{O}}_{\mathcal{H}ash}$ on input ${CID}_i^{★}=h({ID}_i\oplus s)$ to obtain ${({ID}_i\oplus s)}^{★}$ as ${({ID}_i\oplus s)}^{★}\leftarrow {\mathcal{O}}_{\mathcal{H}ash}\left({CID}_i^{★}\right)$

13:           Compute $s^{★}={({ID}_i\oplus s)}^{★}\oplus {ID}_i^{★}$

Eavesdrop the message $\{Z_s,H_s,T_{s1}\}$

15:           Compute $R_s^{★}=Z_s-M_i^{★}=(x_{Rs}^{★},y_{Rs}^{★})$

16:           Compute $H_s^{★}=h({EID}_i^{★}\parallel x_{Rs}^{★}\parallel T_{s1}\parallel x_{Ti}^{★})$

17:           if $H_s^{★}=H_s$ then

18:               Accept $s^{★}$ as the correct secret key

19:               Eavesdrop the message $\{H_i,T_{i2}\}$

20:               Compute $H_i^{★}=h(x_{Mi}^{★}\parallel x_{Rs}^{★})$

21:               if $H_i^{★}=H_i$ then

22:                   Compute ${Sk}_{us}=h(y_{Ri}\parallel y_{Rs}^{★}\parallel y_{Mi}^{★}\parallel y_{Ti}^{★}\parallel T_{i2}\parallel T_{s1})={Sk}_{su}$ as the correct shared session key

23:                   return 1 (Success)

24:               else

25:                   return 0 (Fail)

26:               end if

27:           else

28:               return 0 (Fail)

29:           end if

30:        else

31:           return 0 (Fail)

32:        end if

33:    else

34:        return 0 (Fail)

35:    end if

36:else

37:    return 0 (Fail)

38: end if

Based on algorithm ${ALG}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}$, suppose the adversary $\mathcal{A}$ can compute the inverse of a cryptographic one-way hash functions, and solve ECDLP, ECCDHP, and ECFP by using the oracles ${\mathcal{O}}_{\mathcal{H}ash}$, ${\mathcal{O}}_{\mathcal{E}CDLP}$, ${\mathcal{O}}_{\mathcal{E}CCDHP}$, and ${\mathcal{O}}_{\mathcal{E}CFP}$. Then, the adversary $\mathcal{A}$ wins the game and successfully obtains ${ID}_i$, s, and ${Sk}_{us}(={Sk}_{su})$. However, according to Definitions 1–4, the advantages ${Adv}_{\mathcal{A}}^{\mathcal{H}ash}\left(t_1\right)\le {\epsilon }_1$, ${Adv}_{\mathcal{A}}^{\mathcal{E}CDLP}\left(t_2\right)\le {\epsilon }_2$, ${Adv}_{\mathcal{A}}^{\mathcal{E}CCDHP}\left(t_3\right)\le {\epsilon }_3$, and ${Adv}_{\mathcal{A}}^{\mathcal{E}CFP}\left(t_4\right)\le {\epsilon }_4$, for any sufficiently small negligible functions ${\epsilon }_1,{\epsilon }_2,{\epsilon }_3,{\epsilon }_4>0$. Hence, it must be that ${Adv}_{\mathcal{A},ECPAS}^{\mathcal{O}racle}(t,q_1,q_2,q_3,q_4)\le \epsilon$ for any sufficiently small $\epsilon >0$. Therefore, the theorem is proven. □

4.2. Attainment of Security Goals

This section analyzes the proposed scheme’s attainment of security goals as explained in Section 2.4.

(1)

Mutual authentication

The proposed scheme includes mutual authentication steps for verifying the legality of the user and the Server. The Server authenticates the user by checking the value ${CID}_i=h(I{D}_i^{\prime }\oplus s)$ in the registered users’ database. Next, the user authenticates the Server by checking the value of $H_s^{\prime }=h({EID}_i\parallel x_{Rs}^{\prime }\parallel T_{s1}\parallel x_{Ti})$. Although an adversary may obtain the value of ${EID}_i$, $Z_s$ and ${AID}_i$ by Assumptions A1 and A2, the adversary needs to compute the values of $R_s^{\prime }=Z_s-M_i$ and ${TID}_i={AID}_i-\left[{hpw}_i\right]P$, which are not transmitted in the public channel. Furthermore, $R_s^{\prime }$ and ${TID}_i$ are secured by the ECDLP and ECFP. Therefore, the proposed scheme provides mutual authentication.

(2)

Session key agreement

After completing the mutual authentication steps, both the user and Server compute a shared session key ${Sk}_{us}=h(y_{Ri}\parallel y_{Rs}^{\prime }\parallel y_{Mi}\parallel y_{Ti}\parallel T_{i2}\parallel T_{s1})=h(y_{Ri}\parallel y_{Rs}\parallel y_{Mi}^{\prime }\parallel y_{Ti}^{\prime }\parallel T_{i2}\parallel T_{s1})={Sk}_{su}$. Since the adversary does not know $R_s$, $M_i$, and ${TID}_i$, the session key cannot be computed directly due to the cryptographic one-way hash function. Hence, the shared session key is protected in the proposed scheme.

(3)

Forward secrecy

In the proposed scheme, the session keys are computed using the values $R_i=\left[r_i\right]P$ and $R_s=\left[r_s\right]P$, which are calculated based on random numbers $r_i$ and $r_s$. Even if an adversary obtains the secret key s, the adversary still cannot obtain any information from the previous session keys. Thus, the proposed scheme provides forward secrecy.

(4)

User anonymity

According to Assumption A2, an adversary may extract all of the values $\{{AID}_i,{BID}_i,{\widehat{b}}_i\}$ in the smart card. The ${ID}_i$ is contained in the parameters ${AID}_i$ and ${BID}_i$. However, the adversary needs to invert a one-way hash output, which is impossible in polynomial time, as shown in Theorem 1. As a result, the proposed scheme provides user anonymity.

(5)

User traceability

Following Maitra et al. [31], the server should be able to trace the sender of the login request message by confirming that the sender is indeed a user registered in the database. The proposed scheme still maintains user anonymity because the user’s ${ID}_i$ is hidden and secured by the secret key s in the parameter ${CID}_i=h({ID}_i\oplus s)$. Therefore, the proposed scheme allows the Server to trace the user.

(6)

Local password verification

The proposed scheme provides wrong password input detection by the smart card during the login phase by checking the value ${BID}_i^{\prime }=h(h\left({ID}_i^{\prime }\right)\oplus {hpw}_i^{\prime })={BID}_i$. The incorrect combination of ${ID}_i^{\prime }$ and ${pw}_i^{\prime }$ will be detected before preparing the login request message. Hence, the proposed scheme provides local password verification.

(7)

Local password changeability

The password change/update phase permits the user to modify the password without contacting the Server. Since the smart card can verify the password and identity locally through a remote terminal, it can compute and update the parameters $\{{AID}_i^{*},{BID}_i^{*},{\widehat{b}}_i^{*}\}$. Therefore, the proposed scheme provides efficient local password changeability.

4.3. Resistance to Security Attacks

This section presents the proposed scheme’s ability to withstand several security attacks.

(1)

Offline password-guessing attack

Suppose that an adversary $\mathcal{A}$ obtains a lost/stolen smart card ${SC}_i$ and retrieves $\{{AID}_i,{BID}_i,{\widehat{b}}_i\}$. The adversary $\mathcal{A}$ must guess the user $U_i$’s identity ${ID}_i$ and password ${pw}_i$ to compute $b_i$, ${hpw}_i$, and ${BID}_i^{\prime }={BID}_i=h(h\left({ID}_i\right)\oplus {hpw}_i)$. However, according to Assumption A3, it is impossible to guess both ${ID}_i$ and ${pw}_i$ within polynomial time. Hence, the proposed scheme can withstand the offline password-guessing attack.

(2)

Replay attack

By Assumption A1, an adversary $\mathcal{A}$ can intercept all of the messages transmitted through the public channel. Since the messages are generated using the random numbers ($r_i$, $r_s$) and timestamps ($T_{i1}$, $T_{i2}$, $T_{s1}$), the Server S will notice the repeated message submissions. Hence, it is impossible for $\mathcal{A}$ to replay intercepted messages. Therefore, the proposed scheme can resist replay attacks.

(3)

Privileged insider attack

In this attack, suppose a privileged insider $\mathcal{A}$ as an active adversary who obtains the identity ${ID}_i$ by monitoring data transmitted over a secure channel during the registration phase. In addition, assume that $\mathcal{A}$ extracts the values ${AID}_i$, ${BID}_i$, and ${\widehat{b}}_i$ from a lost/stolen smart card ${SC}_i$, as in Assumption A2. In the proposed scheme, $\mathcal{A}$ cannot launch the password-guessing attack because the password ${pw}_i$ is secured by ${hpw}_i=h({pw}_i\parallel b_i)$. The adversary $\mathcal{A}$ can try to retrieve the random number $b_i$ from ${\widehat{b}}_i=h({ID}_i\parallel {pw}_i)\oplus b_i$. However, $\mathcal{A}$ has to guess both ${pw}_i$ and $b_i$ simultaneously within polynomial time, which contradicts Assumption A3. Thus, the proposed scheme can withstand the privileged insider attack.

(4)

Stolen-verifier attack

If an adversary $\mathcal{A}$ gains access to the database of registered users, the adversary $\mathcal{A}$ can try to extract the ${ID}_i$ of a legal user $U_i$. However, the Server’s database stores the value ${ID}_i$ in ${CID}_i=h({ID}_i\oplus s)$ secured by the collision-resistant one-way hash function. In addition, $\mathcal{A}$ also cannot obtain the secret key s since it is protected by ECDLP. It is impossible for $\mathcal{A}$ to retrieve ${ID}_i$. Therefore, the proposed scheme can resist stolen-verifier attacks.

(5)

Key-compromised impersonation attack

Assume an adversary $\mathcal{A}$ obtains a compromised or stolen secret key s. Then, the adversary $\mathcal{A}$ can try to impersonate a legal user $U_i$ to cheat the Server S. Still, the $\mathcal{A}$ must first pass the verification check ${BID}_i^{\prime }={BID}_i$. Furthermore, the $\mathcal{A}$ cannot create the login message $\{{DID}_i,{EID}_i,R_i,T_{i1}\}$ because it is not possible to compute ${hpw}_i$. Thus, the proposed scheme can withstand the key-compromised impersonation attack.

4.4. Formal Verification Using BAN Logic

This section provides the verification of the mutual authentication property for the proposed scheme using BAN logic [39]. The BAN logic analysis consists of four main steps: (1) defining the verification goals, (2) transforming the proposed scheme to its idealized form, (3) expressing the initial state assumptions, and (4) proving the security goals by using the BAN logic rules as in Table 3.

(1)

Verification goals

First, the BAN logic goals for the proposed scheme are defined and listed as follows.

• Goal 1: $U_i\mid \equiv (U_i\stackrel{\mathrm{Sk}}{\leftrightarrow }S)$
• Goal 2: $U_i\mid \equiv S\mid \equiv U_i\mid \equiv (U_i\stackrel{\mathrm{Sk}}{\leftrightarrow }S)$
• Goal 3: $S\mid \equiv (U_i\stackrel{\mathrm{Sk}}{\leftrightarrow }S)$
• Goal 4: $S\mid \equiv U_i\mid \equiv (U_i\stackrel{\mathrm{Sk}}{\leftrightarrow }S)$

(2)

Idealization of the proposed scheme

Next, the proposed scheme is transformed into the idealized form as follows.

• Message 1: $U_i\to S:{⟨{ID}_i⟩}_{M_i},{(M_i,T_{i1})}_{{TID}_i},R_i,T_{i1}$
• Message 2: $S\to U_i:{⟨R_s⟩}_{M_i},{({EID}_i,R_s,T_{s1})}_{{TID}_i},T_{s1}$
• Message 3: $U_i\to S:{\left(R_s\right)}_{M_i},T_{i2}$

(3)

Initial state assumptions

The assumptions made on the initial state of the proposed scheme are listed below.

• A1: $S\mid \equiv (U_i\stackrel{M_i}{\rightleftharpoons }S)$;
• A2: $U_i\mid \equiv (U_i\stackrel{{TID}_i}{\rightleftharpoons }S)$;
• A3: $S\mid \equiv (U_i\stackrel{{TID}_i}{\rightleftharpoons }S)$;
• A4: $U_i\mid \equiv \#(T_{s1})$;
• A5: $S\mid \equiv \#(T_{i1},T_{i2})$.

(4)

Proof using BAN logic

The security proof analysis is presented based on the goals, initial state assumptions, and BAN logic rules.

• Step 1: From Message 1, $S⊲({⟨{ID}_i⟩}_{M_i},{(M_i,T_{i1})}_{{TID}_i},R_i,T_{i1})$.
• Step 2: According to Step 1, A3, and applying the message-meaning rule, the statement $S\mid \equiv U_i\mid \sim (M_i,R_i,T_{i1})$ is deduced.
• Step 3: By the freshness-conjuncatenation rule and A5 yields, $S\mid \equiv \#(M_i,R_i,T_{i1})$.
• Step 4: From Step 2, Step 3, and the nonce-verification rule, then $S\mid \equiv U_i\mid \equiv (M_i,R_i,T_{i1})$.
• Step 5: From Message 3, $S⊲({\left(R_s\right)}_{M_i},T_{i2})$.
• Step 6: Applying the message-meaning rule to Step 5 and A1, then $S\mid \equiv U_i\mid \sim (R_s,T_{i2})$.
• Step 7: By the freshness-conjuncatenation rule and A5 yields, $S\mid \#(R_s,T_{i2})$.
• Step 8: From Steps 6 and 7 using the nonce-verification rule, then $S\mid \equiv U_i\mid \equiv (R_s,T_{i2})$.
• Step 9: By the belief rule, Step 4, and Step 8, $S\mid \equiv U_i\mid \equiv (M_i,R_i,R_s,T_{i1},T_{i2})$.
• Step 10: From Step 9, A5, and the session key rule, then $S\mid \equiv \left(U_{i}SkS\right)$ (Goal 3).
• Step 11: From A5, Step 9, Step 10, and the session-key verification rule, then $S\mid \equiv U_i\mid \equiv (U_i\stackrel{\mathrm{Sk}}{\leftrightarrow }S)$ (Goal 4).
• Step 12: From Message 2, $U_i⊲({⟨R_s⟩}_{M_i},{({EID}_i,R_s,T_{s1})}_{{TID}_i},T_{s1})$.
• Step 13: Applying the message-meaning rule, from Step 12 and A2, then the statement $U_i\mid \equiv S\mid \sim ({EID}_i,R_s,T_{s1})$ is obtained.
• Step 14: By the freshness conjuncatenation rule and A4 yields, $U_i\mid \equiv \#({EID}_i,R_s,T_{s1})$.
• Step 15: According to Step 13, Step 14, and applying the nonce verification rule, then $U_i\mid \equiv S\mid \equiv ({EID}_i,R_s,T_{s1})$.
• Step 16: By the session-key rule, Step 14, and Step 15, then $U_i\mid \equiv (U_i\stackrel{\mathrm{Sk}}{\leftrightarrow }S)$ (Goal 1).
• Step 17: Finally, from A4, Step 15, Step 16, and the session-key verification rule, $U_i\mid \equiv S\mid \equiv (U_i\stackrel{\mathrm{Sk}}{\leftrightarrow }S)$ (Goal 2).

Based on BAN logic analysis, all of the defined goals are achieved. Therefore, the proposed scheme is demonstrated to provide mutual authentication using the shared session key between $U_i$ and S.

5. Performance Analysis

This section explains the performance of the proposed scheme compared to similar schemes and improvements by [29,30,31,32,33]. Since this study focuses on the schemes that have been improved based on Qu and Tan [29], the compared schemes are chosen based on the underlying security of three hard problems in ECC (i.e., ECDLP, ECCDHP, and ECFP) in the general user–server application. Based on the literature search, to the best of the authors’ knowledge, only the works by Huang et al. [30] and Chaudhry et al. [32] fit this scope. The schemes by Maitra et al. [31] and Mehmood et al. [33] are also included in the performance comparison since they proposed enhancements based on Huang et al. [30].

Table 4 summarizes the security goals attainment and resistance to security attacks of every scheme based on the discussions in Section 4. The proposed scheme has been shown to achieve all of the security goals as given in Maitra et al. [31], which are formal security proof, mutual authentication, session key agreement, forward secrecy, user anonymity, user traceability, local password verification, and local password changeability. The proposed scheme has also been shown to withstand replay attacks, offline password-guessing attacks, privileged insider attacks, stolen-verifier attacks, insider attacks, and key-compromised impersonation attacks. Overall, the proposed scheme and Maitra et al. [31] outperformed other considered schemes in terms of security goals attainment. The proposed scheme performs better than all considered schemes based on the resistance to security attacks.

Table 4. Attainment of security goals and resistance to security attacks of the proposed scheme and other similar schemes.

	Schemes
	Proposed	Qu and Tan	Huang et al.	Maitra et al.	Chaudhry et al.	Mehmood et al.
		[29]	[30]	[31]	[32]	[33]
Attainment of security goals
Formal security proof	✓	✗	✗	✓	✓	✓
Mutual authentication	✓	✓	✓	✓	✓	✓
Session key agreement	✓	✓	✓	✓	✓	✓
Forward secrecy	✓	✓	✓	✓	✓	✓
User anonymity	✓	✓	✓	✓	✓	✓
User traceability	✓	✗	✗	✓	✗	✗
Local password verification	✓	✓	✓	✓	✓	✓
Local password changeability	✓	✓	✓	✓	✗	✗
Resistance to security attacks
Replay attack	✓	✓	✓	✓	✓	✓
Offline password-guessing attack	✓	✗	✓	✓	✓	✓
Privileged insider attack	✓	✓	✗	✓	✗	✗
Stolen-verifier attack	✓	✓	✓	✓	✓	✗
Key-compromised impersonation attack	✓	✗	✗	✗	✗	✗

(✓): Yes; (✗): Not disscussed.

For the computational cost analysis, the approximate running time is based on the performance evaluation by Kilinc and Yanik [41] using the PBC Library [42]. The running times of arithmetic and cryptographic operations were measured using the experimental platform, which is the Ubuntu 12.04.1 LTS 32bit operating system with Intel Pentium Dual CPU E2200 2.20 GHz processor and 2048 MB of RAM. Based on their findings, the order of the time complexity for the elliptic curve point multiplication operation ($T_{em}$), elliptic curve point addition operation ($T_{ea}$), symmetric encryption/decryption operation ($T_{sym}$), and hash operation ($T_h$) is stated as $T_{em}\gg T_{ea}>T_{sym}>T_h$. The estimated running times for $T_{em}$, $T_{ea}$, $T_{sym}$, and $T_h$ are 2.226 ms, 0.0288 ms, 0.0046 ms, and 0.00023 ms, respectively. The modular multiplication/division operation ($T_m$) and the bitwise XOR (⊕) operation recorded negligible running times and are hence ignored.

The computational cost is the total time complexity of operations executed in the user registration, user login, and mutual authentication phases. As shown in Table 5, the proposed scheme requires the computational cost of 7 $T_{em}$ + 3 $T_{ea}$ + 18 $T_h$ and a running time of approximately 15.710 ms. In terms of the number of $T_{em}$ operations executed, the proposed scheme maintains 7 $T_{em}$ operations as in Huang et al. [30] and Chaudhry et al. [32], which is four $T_{em}$ operations less than Maitra et al. [31]. The running times for Qu and Tan [29], Huang et al. [30], Maitra et al. [31], Chaudhry et al. [32], and Mehmood et al. [33] are approximately 20.215 ms, 15.767 ms, 24.521 ms, 15.708 ms, and 9.003 ms, respectively. As seen in Figure 4a, the proposed scheme requires only a 0.02 ms higher running time than Chaudhry et al. [32]. This slight increase in running time is insignificant given that the proposed scheme is more secure than Chaudhry et al. [32] based on Table 4. Furthermore, the proposed scheme’s running time is 8.811 ms less than that of Maitra et al. [31], which is noteworthy considering that both schemes attain the same security goals.

Table 5. Computational cost for executed operations in the proposed scheme and other similar schemes.

Schemes	Computational Cost	Running Time
Proposed	7 $T_{em}$ + 3 $T_{ea}$ + 18 $T_h$	≈ 15.710 ms
Qu and Tan [29]	9 $T_{em}$ + 5 $T_{ea}$ + 16 $T_h$	≈ 20.215 ms
Huang et al. [30]	7 $T_{em}$ + 5 $T_{ea}$ + $T_m$ + 18 $T_h$	≈ 15.767 ms
Maitra et al. [31]	11 $T_{em}$ + 2 $T_m$ + 15 $T_h$	≈ 24.521 ms
Chaudhry et al. [32]	7 $T_{em}$ + 3 $T_{ea}$ + 2 $T_m$ + 17 $T_h$	≈ 15.708 ms
Mehmood et al. [33]	4 $T_{em}$ + 2 $T_{ea}$ + 3 $T_m$ + 2 $T_{sym}$ + 14 $T_h$	≈ 9.003 ms

$T_{em}$: Elliptic curve multiplication operation, $T_{ea}$: Elliptic curve point addition operation, $T_m$: Modular multiplication/division operation, $T_{sym}$: Symmetric encryption/decryption operation, $T_h$: Hash operation.

Figure 4. Comparisons of ECC-based schemes’ performance in terms of (a) running time; (b) smart card storage cost; (c) message transmission cost.

For the smart card storage and message transmission costs analysis, the following assumptions are made. The sizes for the identity ${ID}_i$, password ${pw}_i$, and random numbers $\{b_i,r_i,r_s\}$ are 160 bits each. The hash function outputs $\{{BID}_i,{\widehat{b}}_i,{EID}_i,H_s,H_i\}$ are 256 bits, assuming the use of the SHA-256 [2] algorithm. The elliptic curve points $\{{AID}_i,R_i,Z_s\}$ are 512 bits each, whereas the x/y-coordinate is 256 bits. The timestamps $\{T_{i1},T_{s1},T_{i2}\}$ are 128 bits.

In the proposed scheme, the parameters $\{{AID}_i,{BID}_i,{\widehat{b}}_i\}$ are stored in the smart card ${SC}_i$. The storage cost required for the smart card is $512+256+256=1024$ bits, which is the highest among other schemes as shown in Figure 4b. The proposed scheme’s storage cost incurs 96 more bits than schemes by [29,30,32,33] since the parameter ${\widehat{b}}_i$ is stored as a hash output to mask the random number $b_i$. Furthermore, the proposed scheme requires a 296-bit higher storage cost than the scheme by Maitra et al. [31] because the parameter ${AID}_i$ is stored as an elliptic curve point instead of a hash output. Nevertheless, the proposed scheme’s higher storage cost is justified given that the proposed scheme provides better security features than other schemes.

The message transmission cost is the total bit size of the messages $\{{DID}_i,{EID}_i,R_i,T_i\}$, $\{Z_s,H_s,T_{s1}\}$, and $\{H_i,T_{i2}\}$, which are exchanged during the user login phase and mutual authentication phase. For the proposed scheme, the transmission cost is $(4\times 256)+(2\times 512)+(3\times 128)=2432$ bits, which is comparable to that of Maitra et al. [31] and 128 bits lower than [29,30]. However, the proposed scheme’s transmission cost is 384 bits and 512 bits higher than Chaudhry et al. [32] and Mehmood et al. [33], respectively. Note that the proposed scheme and Maitra et al. [31] require clock synchronization, unlike other schemes. Hence, the transmission of timestamps during the login and authentication phases explains the message transmission cost being higher than [32,33], as shown in Figure 4c. Even with timestamps, the proposed scheme and Maitra et al. [31] managed to keep their transmission cost lower than [29,30].

Overall, the computational cost and running time of the proposed scheme are lower than [29,30,31]. In terms of the message transmission cost, the proposed scheme performs the same as Maitra et al. [31]. As the proposed scheme maintains all of the hard problems (ECDLP, ECCDHP, and ECFP) of Qu and Tan [29] and attains all of the security goals of Maitra et al. [31] as shown in Table 5, the higher smart card storage cost is an acceptable trade-off. In conclusion, the proposed scheme is better than all considered schemes.

6. Applications

In the future, it is suggested to investigate the applicability of adopting the three hard problems, i.e., ECDLP, ECCDHP, and ECFP, in developing user/client identification and authentication cryptographic schemes in distributed computer networks [43,44,45]. The integration of distributed computer networks with physical and social systems has evolved tremendously to many applications in cyber–physical systems and cyber–physical social systems. These systems connect many low-powered devices, such as smart mobile applications and wireless sensor nodes, that are deployed in unsupervised environments. The communication and data sharing between the physical components and cyber components demand attention toward security requirements and privacy issues [46,47]. ECC is favored in many public-key-based cryptographic schemes due to its efficiency; hence, it is important to study the feasibility of implementing three hard problems (ECDLP, ECCDHP, and ECFP) in designing secure and efficient schemes.

7. Conclusions

This study highlighted several drawbacks of the scheme by Chaudry et al. The aim of this study was to propose an ECC-based two-factor remote authentication scheme with a session key agreement based on Chaudhry et al.’s scheme to solve these drawbacks. The proposed scheme is provably secure under the ROM using the formal definitions of ECDLP, ECCDHP, and ECFP. Based on the security and performance analyses with other previous schemes, the proposed scheme offers better security attributes and is more efficient in terms of the computational cost and running time. Future work is suggested to build better identification and authentication schemes based on the same hard problems (ECDLP, ECCDHP, and ECFP) for applications in cyber–physical systems.