KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, Mar. 2016 1289 Copyright ⓒ2016 KSII

Forward Anonymity-Preserving Secure Remote Authentication Scheme

Hanwook Lee1, Junghyun Nam2, Moonseong Kim3 and Dongho Won1 1 Department of Computer Engineering, Sungkyunkwan University, Korea [e-mail: [email protected], [email protected]] 2 Department of Computer Engineering, Konkuk University, Korea [e-mail: [email protected]] 3 Information Management Division, Korean Intellectual Property Office, Korea [e-mail: [email protected]] *Corresponding author: Dongho Won

Received May 10, 2015; revised October 23, 2015; accepted January 21, 2016; published March 31, 2016

Abstract

Dynamic ID-based authentication solves the ID-theft problem by changing the ID in each session instead of using a fixed ID while performing authenticated key exchanges between communicating parties. User anonymity is expected to be maintained and the exchanged key kept secret even if one of the long-term keys is compromised in the future. However, in the conventional dynamic ID-based authentication scheme, if the server’s long-term key is compromised, user anonymity can be broken or the identities of the users can be traced. In addition, these schemes are vulnerable to replay attacks, in which any adversary who captures the authentication message can retransmit it, and eventually cause the legitimate user to be denied service. This paper proposes a novel dynamic ID-based authentication scheme that preserves forward anonymity as well as forward secrecy and obviates replay attacks.

Keywords: Forward anonymity, dynamic ID-based authentication, smart card

This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT, and Future Planning (2014R1A1A2002775). http://dx.doi.org/10.3837/tiis.2016.03.019 ISSN : 1976-7277 1290 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme

1. Introduction

Authenticated key exchange allows two or more parties to compute shared keys and also ensures their identities are authentic in insecure networks. Conventional authenticated key exchange protocols transfer identity information (ID) in plain text. Consequently, attackers can eavesdrop on communications between parties for information that enables them to forge the login request messages of legitimate users. Das et al. proposed a countermeasure in the form of a dynamic ID-based authentication scheme in which the user ID changes in every session based on the one-way hash function [1]. In the proposed scheme, the dynamic ID appears like a random number but in such a manner that legitimate parties can acquire the correct static ID without attackers being able to distinguish it. Although the scheme’s ability to provide user anonymity, mutual authentication, and security was subsequently deemed inadequate [2-4], it significantly influenced later studies related to user anonymity protection. The dynamic ID-based authentication scheme can be classified as a client encryption scheme or a server encryption scheme, depending on the party that creates the dynamic ID. In the client encryption scheme, the client encrypts the static ID using secret information induced either by the server’s long-term or public key [1, 3-12]. Conversely, in the server encryption scheme, the server encrypts the static ID using its own long-term key and transfers this dynamic ID, for subsequent use in the authentication process, to the user [13-18]. In each of these schemes, the user requires a device such as a smart card that can store and manage secret information acquired from the server’s long-term key, its public key, or a dynamic ID securely created by the server. Smart cards are convenient, portable, and inexpensive. Consequently, they are being widely adopted for two-factor authentication in remote host login, online banking, e-commerce, and e-health systems. Initially, dynamic ID-based authentication schemes adopted hash functions or symmetric key encryptions because of the poor performance of smart cards. However, more recent schemes have adopted complex operations such as public key encryption as a result of advancements in smart card technology. The most outstanding advantage of public key encryption over hash functions and symmetric key encryption is its ability to ensure forward secrecy. Forward secrecy is a property that ensures that an established session key is not damaged, even if the long-term key used in key establishment is compromised. It is very important to ensure forward secrecy in order to prevent data leaks in the face of long-term key damage as a result of a system failure or leak, whether accidental or deliberate, because past data can be sensitive in the future as well. Various schemes that ensure forward secrecy have been proposed by researchers such as Sun et al. [14], Horng et al. [5], Wu et al. [8], Ma et al. [9], Wang et al. [10], and Jiang et al. [18]. However, because the schemes cited above used static long-term or public keys instead of the server’s ephemeral public key to generate a dynamic ID, they had the following two vulnerabilities. First, forward anonymity is not assured. Forward anonymity—first proposed by Diffie et al. to explain their station-to-station protocol attributes [19]—is similar to forward secrecy but prevents attackers from exposing any information about the identities of participants. In server encryption schemes and client encryption schemes that use secret information induced from a server’s long-term key, the static ID can be acquired from collected communication messages if a server’s long-term key is compromised. In client encryption schemes that use a static rather than an ephemeral public key to transfer a dynamic ID, the static ID can be identified immediately or can be traced if the static public key is compromised. As a result, the revealed ID may be used to identify messages from specific KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1291 users, or as partial information to regenerate session keys. Second, the schemes are vulnerable to replay attacks. Because the user ID is transferred using plain text in authentication schemes that do not ensure user anonymity, an eavesdropper can guess its password. This type of scheme defends against online dictionary attacks by limiting the number of attempts, but cannot limit attacks by attackers who try incorrect passwords repeatedly in order to induce denial of service. On the other hand, in schemes that ensure user anonymity, attackers cannot distinguish the static IDs of victims. Thus, replay attacks must be prevented if attackers do not know the static ID or dynamic ID generated by the server. However, attackers who eavesdrop on login request messages can carry out replay attacks by retransmitting the message to the server. This paper proposes a novel dynamic ID-based authentication scheme that solves the above problems by providing forward secrecy and forward anonymity. Further, we prove that the proposed scheme is secure under the computational Diffie-Hellman assumption and in the random oracle and ideal-cipher models. The remainder of this paper is organized as follows: Section 2 defines the adversary model. Section 3 gives a brief review and cryptanalysis of Horng et al.’s, Wu et al.’s, and Wang et al.’s schemes. Section 4 outlines our proposed scheme. Section 5 and Section 6 conduct a security analysis and a performance analysis of our proposed scheme, respectively. Section 7 concludes this paper.

2. Adversary Model Hao summarized robust security in the extreme-adversary principle as protection against an extremely powerful adversary who has all capabilities except that of trivially breaking a certain scheme [20]. On the basis of this ultimate definition of protocol security, Wang et al. [10] proposed the following six capabilities of the adversary for password-based dynamic ID authentication schemes that utilize smart card as follows: (1) full control of communication channel, (2) off-line enumeration of all possible ID-password pairs, (3) user ID identification, (4) password detection or sensitive information extraction from smart cards, (5) acquisition of the previous session key(s), and (6) acquisition of the server’s long-term key(s). They proved the above capabilities both theoretically and practically through the following cases: ID and password can be exposed through malicious smart card readers; ID can be guessed easily when a user selects an easy-to-memorize ID; and as a result, ID has low entropy so attackers can attempt off-line guessing attacks to all possible ID-password pairs within polynomial time. Note that the capability to acquire the server’s long-term key among the above six capabilities is limited to evaluation of the server’s final failure, called weak forward secrecy [21]. A scheme that provides weak forward security is vulnerable to session interception and user impersonation attacks when a long-term key is compromised. The scheme proposed by Wang et al. [10] is trivially broken when a long-term key and the user registration table in the server are simultaneously compromised. Attackers can acquire either the server’s long-term key or user registration table without restrictions under the condition that two events do not occur simultaneously, according to the extreme-adversary principle. However, the scheme uses low precision time, resulting in it being susceptible to user impersonation attacks that can easily be carried out by any attacker who acquires a long-term key. We propose the following adversary model, in which the adversary model proposed by Wang et al. is bolstered with strong forward secrecy characteristics: 1292 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme

1. Adversary has full control of the communication channel between communicating parties. 2. Adversary 𝒜𝒜 can enumerate all possible ID-password pairs within a reasonable amount of time off-line. 3. The (active)𝒜𝒜 adversary can determine the victim’s identity. 4. Adversary may either learn the victim’s password or extract secret data from the lost smart card, but cannot achieve𝒜𝒜 both. 5. Adversary 𝒜𝒜 can learn the previous session key(s). 6. Attacker may learn either the server’s long-term key or the registration table managed by the server,𝒜𝒜 but cannot achieve both. Capabilities 𝒜𝒜1 to 5 are the same as those proposed by Wang et al. Capability 6 includes forward secrecy against the active adversary. If the adversary learns both the server’s long-term key and the registration table, then the protocol can be trivially broken; therefore, it was excluded from the capabilities.

3. Review of Dynamic ID-based Authentication Schemes In this section, we briefly review dynamic ID-based authentication schemes that ensure forward secrecy—specifically, those proposed by Horng et al. [5], Wu et al. [8], and Wang et al. [10]—and discuss their vulnerabilities. Each scheme is a client encryption scheme that performs Diffie-Hellman key exchange using the client’s ephemeral public key and the server’s public key, and then encrypts the static ID using the key exchanged. The procedure comprises several phases—specifically, registration, login, authentication, and password changing. The password changing phase is not dealt with in this paper. The notations used throughout this paper are defined in Table 1.

Table 1. Notations Symbol Description User Remote server 𝑈𝑈 User’s ID 𝑆𝑆 User’s password 𝑖𝑖𝑖𝑖 [ ] Smart card containing 𝑝𝑝𝑝𝑝 Private key of remote server 𝑆𝑆𝑆𝑆 𝑀𝑀 Public key of remote server𝑀𝑀 𝑥𝑥 Established session key 𝑦𝑦 Bitwise XOR operation 𝑈𝑈𝑈𝑈 |𝑠𝑠𝑠𝑠| Concatenation operation ⊕( ) One-way hash function ( ) Symmetric encryption with key ℋ (⋅ ) Symmetric decryption with key 𝑘𝑘 ℰ ⋅ : sends to through a public𝑘𝑘 channel 𝑘𝑘 𝒟𝒟 ⋅ : sends to through a secure𝑘𝑘 channel 𝐴𝐴 → 𝐵𝐵 𝑀𝑀 𝐴𝐴 𝑀𝑀 𝐵𝐵 3.1 Review of Horng𝐴𝐴 ⇒ et𝐵𝐵 al𝑀𝑀.’s Scheme𝐴𝐴 𝑀𝑀 𝐵𝐵 Horng et al.’s scheme uses ( ) and ( ) as the server's private key and corresponding public key, respectively. ℋ 𝑠𝑠 ℋ 𝑠𝑠 𝑔𝑔 KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1293

Registration phase: 1. User chooses his/her identity , password , and a random number . 2. : { , ( || )}. 𝑈𝑈 𝑖𝑖𝑖𝑖 𝑝𝑝𝑝𝑝 𝑏𝑏 3. computes = ( || ) ( || ) and = { ( || ) ( )} mod , where is 𝑈𝑈 ⇒ 𝑆𝑆 𝑖𝑖𝑖𝑖 ℋ 𝑏𝑏 𝑝𝑝𝑝𝑝 the secret key of . ℋ 𝑖𝑖𝑖𝑖 𝑠𝑠 ⋅ℋ 𝑠𝑠 4. 𝑆𝑆 : { 𝑊𝑊[ , ,ℋ (𝑖𝑖𝑖𝑖), 𝑠𝑠, ⊕]}. ℋ 𝑏𝑏 𝑝𝑝𝑝𝑝 𝑤𝑤 𝑔𝑔 𝑝𝑝 𝑠𝑠 𝑆𝑆 5. On receiving the smart card from , inputs into his/her smart card. 𝑆𝑆 ⇒ 𝑈𝑈 𝑆𝑆𝑆𝑆 𝑊𝑊 𝑤𝑤 ℋ ⋅ 𝑝𝑝 𝑔𝑔 Login phase: 𝑆𝑆 𝑈𝑈 𝑏𝑏 1. inserts his/her smart card into the card reader and inputs his/her and . 2. The smart card chooses random numbers and , and computes = ( || ), 𝑈𝑈 = mod , = mod , = mod , and = 𝑖𝑖𝑖𝑖. 𝑝𝑝𝑝𝑝 3. 𝑎𝑎𝑎𝑎: { , ( , )}𝑎𝑎. 𝑢𝑢𝑎𝑎 𝑢𝑢 𝐼𝐼 𝑊𝑊 ⊕ ℋ 𝑏𝑏 𝑝𝑝𝑝𝑝 𝐶𝐶 𝑔𝑔 𝑝𝑝 𝑅𝑅 𝑤𝑤 𝑝𝑝 𝑁𝑁𝑢𝑢 𝑔𝑔 𝑝𝑝 𝑀𝑀1 𝐼𝐼 ⊕ 𝑁𝑁𝑢𝑢 Authentication𝑈𝑈 → 𝑆𝑆 𝐶𝐶 phase:ℰ𝑅𝑅 𝑖𝑖𝑖𝑖 𝑀𝑀1 1. computes = ( ) mod , decrypts ( , ) to obtain and , and checks the validity of . Ifℋ it𝑠𝑠 is invalid, the login request is rejected. Otherwise, chooses a 𝑅𝑅 1 1 random𝑆𝑆 number𝑅𝑅 𝐶𝐶 , and computes𝑝𝑝 =ℰ (𝑖𝑖𝑖𝑖||𝑀𝑀) , = 𝑖𝑖𝑖𝑖 , 𝑀𝑀 = mod , = , 𝑖𝑖𝑖𝑖 = mod , and = ( || || ). 𝑆𝑆 𝑣𝑣 𝑢𝑢 1 𝑣𝑣 : { ( , 𝑣𝑣 )} 𝑣𝑣 𝐼𝐼 ℋ 𝑖𝑖𝑖𝑖 𝑠𝑠 𝑁𝑁 𝐼𝐼 ⊕ 𝑀𝑀 𝑁𝑁 𝑔𝑔 𝑝𝑝 2. 2 𝑣𝑣 𝑈𝑈𝑈𝑈 . 𝑢𝑢 3 𝑈𝑈𝑈𝑈 𝑢𝑢 𝑀𝑀 𝐼𝐼 ⊕ 𝑁𝑁 𝑠𝑠𝑠𝑠 𝑁𝑁 (𝑝𝑝 , 𝑀𝑀) ℋ 𝑖𝑖𝑖𝑖 𝑠𝑠𝑠𝑠 𝑁𝑁 ( , ) 3. On receiving𝑅𝑅 reply2 3message from , the smart card decrypts to obtain𝑆𝑆 → 𝑈𝑈 ℰ and𝑀𝑀 𝑀𝑀, computes = and = mod , and checks if 𝑅𝑅 2 3 𝑅𝑅 2 3 ( || || ) is equal toℰ 𝑀𝑀. If they𝑀𝑀 are not𝑆𝑆 equal, the session𝑢𝑢 is terminatedℰ 𝑀𝑀 . 𝑀𝑀 2 3 𝑣𝑣 2 𝑈𝑈𝑈𝑈 𝑣𝑣 : 𝑀𝑀 { } 𝑀𝑀 = ( 𝑁𝑁|| 𝐼𝐼 ⊕) 𝑀𝑀 𝑠𝑠𝑠𝑠 𝑁𝑁 𝑝𝑝 4. 𝑈𝑈𝑈𝑈 , where𝑢𝑢 3 . ℋ 𝑖𝑖𝑖𝑖 𝑠𝑠𝑠𝑠 𝑁𝑁 𝑀𝑀 ( || ) 5. On receiving4 message 4 from 𝑣𝑣, checks𝑈𝑈𝑈𝑈 if is equal to . If they are 𝑈𝑈not→, the𝑆𝑆 session𝑀𝑀 is terminated𝑀𝑀 ℋ. 𝑁𝑁 𝑠𝑠𝑠𝑠 𝑀𝑀4 𝑈𝑈 𝑆𝑆 ℋ 𝑁𝑁𝑣𝑣 𝑠𝑠𝑠𝑠𝑈𝑈𝑈𝑈 𝑀𝑀4 3.1.1 Cryptanalysis of Horng et al.’s scheme

Off-line password guessing attack: An attacker acquires , , stored in his smart card that was issued legally for a legitimate user by executing side-channel attacks. Then, 𝒜𝒜 𝒜𝒜 𝒜𝒜 can get ( ) mod via the following calculation:𝒜𝒜 𝑊𝑊 𝑤𝑤 𝑏𝑏 ℋ 𝑠𝑠 𝒜𝒜 𝑔𝑔 ( 𝑝𝑝( || )) = ( ( || ) ( )) ( || ) = ( ) (mod ). −1 −1 𝑊𝑊𝒜𝒜⊕ℋ 𝑏𝑏𝒜𝒜 𝑝𝑝𝑝𝑝𝒜𝒜 ℋ 𝑖𝑖𝑖𝑖𝒜𝒜 𝑠𝑠 ⋅ℋ 𝑠𝑠 ℋ 𝑖𝑖𝑖𝑖𝒜𝒜 𝑠𝑠 ℋ 𝑠𝑠 Now let𝑤𝑤 us𝒜𝒜 assume that steals the𝑔𝑔 smart card of victim and acquires𝑔𝑔 , 𝑝𝑝, stored in ’s smart card in the same way. can guess a password, , from the dictionary Password ( ) and check that the corresponding𝒜𝒜 ( ) ( || ) mod𝑈𝑈 ∗ is equal to 𝑊𝑊. If 𝑤𝑤they𝑏𝑏 are, the ∗ correct𝑈𝑈 password is . Otherwise,𝒜𝒜 ℋ selects𝑠𝑠 𝑊𝑊⊕ℋ an𝑏𝑏other𝑝𝑝𝑝𝑝 password𝑝𝑝𝑝𝑝 and repeats this process until the correct password is ∗found. 𝑔𝑔 𝑝𝑝 𝑤𝑤 𝑝𝑝𝑝𝑝 𝒜𝒜 Online ID verification attack: Attacker may need a process to know whether the guessed ID is a valid ID registered on the server prior to attacking user . The vulnerability of the scheme is that the validity of the ID can be𝒜𝒜 checked online. If an attacker already has ( ) as in the off-line password guessing attack, he/she may compute =𝑈𝑈 mod and sendℋ 𝑠𝑠 to ′ ′ 𝑎𝑎 𝑔𝑔 ′ 𝐶𝐶 𝑔𝑔 𝑝𝑝 𝐶𝐶 1294 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme the server without knowing , because the server cannot distinguish between and = mod , where and are random numbers. An attack can be carried out as follows:′ 𝑎𝑎𝑎𝑎1. ( ) mod is calculated′ 𝐼𝐼 from a legitimate smart card, as in the off-line𝐶𝐶 password𝐶𝐶 𝑔𝑔 𝑝𝑝 𝑎𝑎 𝑎𝑎 guessingℋ 𝑠𝑠 attack. 𝑔𝑔 𝑝𝑝 ( ) 2. Random numbers and are selected, and = mod and = ( ) mod ′ ′ are calculated. ′ ′ 𝑎𝑎 ′ ℋ 𝑠𝑠 𝑎𝑎 3. With respect to 𝑎𝑎, whose𝑟𝑟 validity check is desired𝐶𝐶 ,𝑔𝑔 login request𝑝𝑝 message𝑅𝑅 𝑔𝑔{ , ( , )𝑝𝑝} is transferred to ∗. ′ ′ ∗ 𝑖𝑖𝑖𝑖 𝐶𝐶 ℰ𝑅𝑅 𝑖𝑖𝑖𝑖 𝑟𝑟 4. Since = ( ) ( ) mod = ( ) mod = , can decrypt ( , ). Thus, if 𝑆𝑆 ′ transmits a normal′ ℋ 𝑠𝑠 response, 𝑎𝑎 ∙ ℋcan𝑠𝑠 be a valid identity.′ ′ ∗ 𝑅𝑅 𝑅𝑅 𝐶𝐶 𝑝𝑝 𝑔𝑔 ∗ 𝑝𝑝 𝑅𝑅 𝑆𝑆 ℰ 𝑖𝑖𝑖𝑖 𝑟𝑟 No forward𝑆𝑆 anonymity: If a long𝑖𝑖𝑖𝑖-term master key or static private key ( ) of is compromised, the attacker can calculate = ( ) mod from the login request message { , ( , )} and decrypt ( , ) to determineℋ 𝑠𝑠 𝑠𝑠of the user. ℋ 𝑠𝑠 𝑆𝑆 𝑅𝑅 𝐶𝐶 𝑝𝑝 Replay𝐶𝐶 ℰ𝑅𝑅 𝑖𝑖𝑖𝑖 attack:𝑀𝑀1 Eavesdropperℰ𝑅𝑅 𝑖𝑖𝑖𝑖, who𝑀𝑀1 captured the 𝑖𝑖𝑖𝑖login request message sent by to , subsequently retransmits this message to . decrypts the message as usual in the authentication phase, and a response𝒜𝒜 message is created in reply to . However, 𝑈𝑈cannot𝑆𝑆 decrypt the response message, hence correct 𝑆𝑆 cannot𝑆𝑆 be calculated, causing authentication failure. repeats this process and eventually exceeds the number of online𝒜𝒜 attempts𝒜𝒜 allocated 4 to legitimate user . 𝑀𝑀 𝒜𝒜 3.2 Review of Wu𝑈𝑈 et al.’s Scheme Wu et al.'s scheme is based on an elliptic curve defined over a prime finite field . Let be a base point with a large order , be a master key, and ( , = ) be the server's private 𝑝𝑝 key and corresponding public key, respectively.𝐸𝐸 𝐹𝐹 𝑃𝑃 𝑞𝑞 𝑠𝑠 𝑥𝑥 𝑄𝑄 𝑥𝑥 ⋅ 𝑃𝑃 Registration phase: 1. User chooses his/her identity . 2. : { , }, where is the identity of the smart card. 𝑈𝑈 𝑖𝑖𝑖𝑖 3. computes = ( || || ) + ( || ), where is the initial password. 𝑈𝑈Then,⇒ 𝑆𝑆 inserts𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 ( , ) in𝑐𝑐𝑐𝑐𝑐𝑐to the registration table. 𝑆𝑆 𝐴𝐴 ℋ0 𝑥𝑥 𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 ℋ0 𝑝𝑝𝑝𝑝0 𝑖𝑖𝑖𝑖 𝑝𝑝𝑝𝑝0 4. : , , , ( , , )( ) , . 𝑆𝑆 𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 5. On receiving the smart𝑝𝑝 𝑖𝑖card𝑖𝑖=0 1from2 , must0 change the password immediately in the password𝑆𝑆 ⇒ 𝑈𝑈 �𝑆𝑆𝑆𝑆 changing�𝐴𝐴 𝑄𝑄 𝐸𝐸 phase.ℋ ⋅ � 𝑝𝑝𝑝𝑝 � 𝑆𝑆 𝑈𝑈 Precomputation phase: The smart card chooses two random elements , in , computes = , = , = , and = ( || || ), and stores , ∗, , into 1 2 𝑞𝑞 its memory for use in the authentication and key agreement phase. 𝑟𝑟 𝑟𝑟 ℤ 𝑅𝑅1 𝑟𝑟1 ⋅ 𝑃𝑃 𝑅𝑅2 𝑟𝑟2 ⋅ 𝑃𝑃 𝑍𝑍2 𝑟𝑟2 ⋅ 𝑄𝑄 ℎ ℋ1 𝑅𝑅2 𝑄𝑄 𝑍𝑍2 𝑅𝑅1 𝑟𝑟1 𝑅𝑅2 ℎ Authentication and key agreement phase: 1. inserts his/her smart card into the card reader and inputs his/her and . 2. The smart card computes = + ( || ) and = ( || ). 𝑈𝑈 𝑖𝑖𝑖𝑖 𝑝𝑝𝑝𝑝 3. : { , }. ∗ 𝑅𝑅1 𝑅𝑅1 𝐴𝐴 − ℋ0 𝑝𝑝𝑝𝑝 𝑖𝑖𝑖𝑖 𝑑𝑑𝑑𝑑𝑑𝑑 ℎ ⊕ 𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 ∗ { , } ( || ) = ( || || ) 4. On receiving1 message2 from , extracts , and𝑈𝑈 → verifies𝑆𝑆 𝑅𝑅 the𝑅𝑅 user's identity∗ using the registration table. Then, chooses a random 𝑅𝑅1 𝑅𝑅2 𝑈𝑈 𝑆𝑆 𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 𝑑𝑑𝑑𝑑𝑑𝑑 ⊕ ℋ1 𝑅𝑅2 𝑄𝑄 𝑥𝑥 ⋅ 𝑅𝑅2 𝑆𝑆 KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1295

element in , and computes = ( || || ), = , = , and = ( ∗|| || || || || ). ∗ 𝑞𝑞 1 1 0 1 1 : {𝑤𝑤 , ℤ} ∗ 𝑅𝑅 𝑅𝑅 − ℋ 𝑥𝑥 𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 𝑊𝑊 𝑤𝑤 ⋅ 𝑃𝑃 𝑍𝑍 𝑤𝑤 ⋅ 𝑅𝑅 5. 1 2 . 1 2 1 𝑉𝑉 ℋ 𝑆𝑆 𝑑𝑑𝑑𝑑𝑑𝑑 𝑊𝑊 𝑅𝑅 { 𝑅𝑅, 𝑍𝑍} = 6. On receiving reply1 message from , the smart card computes , and 𝑆𝑆checks→ 𝑈𝑈 if𝑊𝑊 𝑉𝑉( || || || || || ) is equal to . If they are, it computes = 1 1 1 ( || || || || || )∗. 𝑊𝑊 𝑉𝑉 𝑆𝑆 𝑍𝑍 𝑟𝑟 ⋅ 𝑊𝑊 2 1 2 1 1 2 7. : { ℋ}. ∗𝑆𝑆 𝑑𝑑𝑑𝑑𝑑𝑑 𝑊𝑊 𝑅𝑅 𝑅𝑅 𝑍𝑍 𝑉𝑉 𝑉𝑉 ℋ2 𝑑𝑑𝑑𝑑𝑑𝑑 𝑆𝑆 𝑅𝑅1 𝑅𝑅2 𝑊𝑊 𝑍𝑍1 8. On receiving from , checks if ( || || || || || ) is equal to . 𝑈𝑈 → 𝑆𝑆 𝑉𝑉2 ∗ = 9. Finally, the 2smart card and server2 compute 1the 2common1 session key2 ( || || 𝑉𝑉|| || 𝑈𝑈|| 𝑆𝑆). ℋ 𝑑𝑑𝑖𝑖𝑖𝑖 𝑆𝑆 𝑅𝑅 𝑅𝑅 𝑊𝑊 𝑍𝑍 𝑉𝑉 𝑈𝑈𝑈𝑈 ∗ 𝑠𝑠𝑠𝑠 3.2.1 ℋCr2yptanalysis𝑑𝑑𝑑𝑑𝑑𝑑 𝑆𝑆 𝑅𝑅1 𝑊𝑊of Wu𝑄𝑄 𝑍𝑍 et1 al.’s scheme Smart card loss attack: Attacker steals the smart card of victim and determines the A and , , , stored in the registration and precomputation phases, respectively, via side-channel attacks. Then, returns𝒜𝒜 the smart card to its original𝑈𝑈 location without the 1 1 2 victim's𝑅𝑅 𝑟𝑟knowledge𝑅𝑅 ℎ . Consequently, when attempts to login to , eavesdrops on the login request message to acquire { 𝒜𝒜 , , }, and guesses ’s password via the following process: 1. extracts ( || ) = ∗ , and𝑈𝑈 computes = 𝑆𝑆 +𝒜𝒜 . 𝑑𝑑𝑑𝑑𝑑𝑑 𝑅𝑅1 𝑅𝑅2 𝑈𝑈 2. selects from the dictionary Password and checks ∗whether ( || ) is the 𝒜𝒜 𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 𝑑𝑑𝑑𝑑𝑑𝑑 ⊕ ℎ 𝐶𝐶 𝐴𝐴 − 𝑅𝑅1 𝑅𝑅1 same as . If it∗ is, the correct password is . Otherwise, another password∗ is selected 0 and𝒜𝒜 this process𝑝𝑝𝑝𝑝 is repeated until the correct password∗ is found. ℋ 𝑝𝑝𝑝𝑝 𝑖𝑖𝑖𝑖 𝐶𝐶 𝑝𝑝𝑝𝑝 No forward anonymity: If ’s private key is compromised, the attacker calculates ( || ) = ( || || ) from the login request message { , , }, thereby finding the and of the user.𝑆𝑆 𝑥𝑥 ∗ 𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 𝑑𝑑𝑑𝑑𝑑𝑑 ⊕ ℋ1 𝑅𝑅2 𝑄𝑄 𝑥𝑥 ⋅ 𝑅𝑅2 𝑑𝑑𝑑𝑑𝑑𝑑 𝑅𝑅1 𝑅𝑅2 Replay attack:𝑖𝑖𝑖𝑖 E𝑐𝑐avesdropper𝑐𝑐𝑐𝑐 , who captured login request message { , , }, which was transferred by to , subsequently retransmits this messages to . Authentication∗ will 2 fail because does not know 𝒜𝒜, which will be used to calculate . However,𝑑𝑑𝑑𝑑𝑑𝑑 𝑅𝑅1 𝑅𝑅 because does not store all past𝑈𝑈 messages𝑆𝑆 transmitted by , it cannot distinguish 𝑆𝑆whether this request is 1 1 an attack via 𝒜𝒜retransmission or simply𝑟𝑟 an incorrect password input by𝑍𝑍 . Thus, repeats this𝑆𝑆 process and may eventually exceed the number 𝑈𝑈of online attempts allocated to legitimate user . 𝑈𝑈 𝒜𝒜

𝑈𝑈3.3 Review of Wang et al.’s Scheme Registration phase: 1. User chooses his/her , , and a random number . 2. : { , ( || )}. 𝑈𝑈 𝑖𝑖𝑖𝑖 𝑝𝑝𝑝𝑝 𝑏𝑏 = ( || ) 3. On receiving the0 registration message from at time , computes 𝑈𝑈 ⇒( 𝑆𝑆|| 𝑖𝑖𝑖𝑖|| ℋ) and𝑏𝑏 𝑝𝑝𝑝𝑝= ( ( ) ( || )) mod . Then, stores ( , ) in 0 the registration table. 𝑈𝑈 𝑇𝑇 𝑆𝑆 𝑁𝑁 ℋ 𝑏𝑏 𝑝𝑝𝑝𝑝 ⊕ 0 0 0 0 4. ℋ 𝑥𝑥 :𝑖𝑖𝑖𝑖 { 𝑇𝑇[ , ]}𝐴𝐴. ℋ � ℋ 𝑖𝑖𝑖𝑖 ⊕ ℋ 𝑏𝑏 𝑝𝑝𝑝𝑝 𝑛𝑛� 𝑆𝑆 𝑖𝑖𝑖𝑖 𝑇𝑇 5. On receiving the smart card from , inputs into his/her smart card. 𝑆𝑆 ⇒ 𝑈𝑈 𝑆𝑆𝑆𝑆 𝑁𝑁 𝐴𝐴 Login phase: 𝑆𝑆 𝑈𝑈 𝑏𝑏 1296 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme

1. inserts his/her smart card into the card reader and inputs his/her and . 2. The smart card checks if ( ( ) ( || ))) mod is equal to . If they 𝑈𝑈 𝑖𝑖𝑖𝑖 𝑝𝑝𝑝𝑝 are not, the session is terminated. The smart card chooses a random number and 0 0 0 computes = mod ℋ, � ℋ= 𝑖𝑖𝑖𝑖 mod⊕ ℋ, 𝑏𝑏 =𝑝𝑝𝑝𝑝 ( 𝑛𝑛||� ) = ( 𝐴𝐴|| || ) , = ( 𝑢𝑢|| ), and = 𝑢𝑢 ( || || ). 𝑢𝑢 1 1 0 0 3. : { 𝐶𝐶, ,𝑔𝑔 }. 𝑝𝑝 𝑌𝑌 𝑦𝑦 𝑝𝑝 𝑘𝑘 𝑁𝑁 ⊕ ℋ 𝑏𝑏 𝑝𝑝𝑝𝑝 ℋ 𝑥𝑥 𝑖𝑖𝑖𝑖 𝑇𝑇 𝑐𝑐𝑐𝑐𝑐𝑐 𝑖𝑖𝑖𝑖 ⊕ ℋ0 𝐶𝐶1 𝑌𝑌1 𝑀𝑀 ℋ0 𝑌𝑌1 𝑘𝑘 𝑐𝑐𝑐𝑐𝑐𝑐 Verification𝑈𝑈 → 𝑆𝑆 phase:𝐶𝐶1 𝑐𝑐𝑐𝑐𝑐𝑐 𝑀𝑀 1. On receiving the login request message { , , } from , computes = mod and = ( || ). If is invalid, the session is terminated. computes𝑥𝑥 = ( || || ), and checks if ( 𝐶𝐶|1| 𝑐𝑐|𝑐𝑐𝑐𝑐| 𝑀𝑀) is equal𝑈𝑈 𝑆𝑆to . If they𝑌𝑌1 are𝐶𝐶 1not, the𝑝𝑝 0 1 1 session𝑖𝑖𝑖𝑖 is𝑐𝑐 𝑐𝑐𝑐𝑐terminated.⊕ ℋ 𝐶𝐶 Then,𝑌𝑌 𝑖𝑖𝑖𝑖 chooses a random element and computes𝑆𝑆 = 0 0 1 𝑘𝑘 modℋ 𝑥𝑥, 𝑖𝑖𝑖𝑖=𝑇𝑇 mod , and ℋ= 𝑌𝑌 ( 𝑘𝑘 ||𝑐𝑐𝑐𝑐𝑐𝑐|| || || || )𝑀𝑀. 𝑆𝑆 𝑣𝑣 : { , } 𝑣𝑣 𝑆𝑆 𝑣𝑣 𝐾𝐾 2. 1 2 . 3 1 1 2 𝑆𝑆 𝐶𝐶 𝑝𝑝 𝐶𝐶 { ,𝑔𝑔 } 𝑝𝑝 𝐶𝐶 ℋ 𝑖𝑖𝑖𝑖 𝑆𝑆 𝑌𝑌 𝐶𝐶 𝑘𝑘=𝐾𝐾 mod 3. On receiving2 3 from , the smart card computes and checks that 𝑆𝑆 →( 𝑈𝑈|| 𝐶𝐶|| 𝐶𝐶|| || || ) is equal to . If they are not, the session𝑢𝑢 is terminated. Then 2 3 𝑈𝑈 the smart card 𝐶𝐶computes𝐶𝐶 𝑆𝑆= ( || || || || || 𝐾𝐾). 𝐶𝐶2 𝑝𝑝 1 1 2 𝑆𝑆 3 ℋ 𝑖𝑖𝑖𝑖: 𝑆𝑆{ 𝑌𝑌} 𝐶𝐶 𝑘𝑘 𝐾𝐾 𝐶𝐶 4. . 4 2 1 2 𝑈𝑈 𝐶𝐶 ℋ 𝑖𝑖𝑖𝑖 𝑆𝑆 𝑌𝑌( 𝐶𝐶|| ||𝑘𝑘 |𝐾𝐾| || || ) 5. On receiving4 from , checks that is equal to . If they 𝑈𝑈are→ not𝑆𝑆 , the𝐶𝐶 session is terminated. 4 2 1 2 𝑆𝑆 4 6. Finally, the 𝐶𝐶smart card𝑈𝑈 𝑆𝑆 and serverℋ compute𝑖𝑖𝑖𝑖 𝑆𝑆 𝑌𝑌the 𝐶𝐶common𝑘𝑘 𝐾𝐾 session key𝐶𝐶 = ( || || || || || ) = ( || || || || || ). 𝑠𝑠𝑠𝑠𝑈𝑈𝑈𝑈 3.3.1 ℋCryptanalysis3 𝑖𝑖𝑖𝑖 𝑆𝑆 𝑌𝑌1 𝐶𝐶2 of𝑘𝑘 Wang𝐾𝐾𝑢𝑢 etℋ al3 .’s𝑖𝑖𝑖𝑖 scheme𝑆𝑆 𝑌𝑌1 𝐶𝐶2 𝑘𝑘 𝐾𝐾𝑆𝑆 No forward anonymity: When ’s private key is compromised, eavesdropper can identify = ( || mod ) using the information collected from the login request message { , , }. 𝑥𝑥 𝑆𝑆 𝑥𝑥 𝒜𝒜 𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 ⊕ ℋ0 𝐶𝐶1 𝐶𝐶1 𝑝𝑝 Replay attack: E𝐶𝐶avesdropper1 𝑐𝑐𝑐𝑐𝑐𝑐 𝑀𝑀 , who captured login request message { , , }, which was transferred by to , subsequently retransmits this messages to . Authentication will 1 fail because does not know 𝒜𝒜random number , which will be used to calculate𝐶𝐶 𝑐𝑐𝑐𝑐𝑐𝑐 𝑀𝑀 by . However, does not𝑈𝑈 store𝑆𝑆 all past messages transmitted by , so it cannot𝑆𝑆 distinguish whether 4 this request is𝒜𝒜 an attack via retransmission or simply𝑢𝑢 an incorrect password input by 𝐶𝐶 . Thus,𝒜𝒜 repeats 𝑆𝑆this process and may eventually exceed the number𝑈𝑈 of online attempts allocated to legitimate user . 𝑈𝑈 𝒜𝒜 User impersonation𝑈𝑈 attack: Assuming that the precision of time , generated in the registration phase, is less than or equal to a second, as shown in the Unix time function, its increase is less than 3.2 × 10 per year. As such, if low precision time is 𝑇𝑇used and the server's private key is compromise,7 eavesdropper can calculate a shared secret between user and server via the following process using information collected from login request message { , , }.𝑥𝑥 𝒜𝒜 𝑘𝑘 calculates = ( ) mod and = ( || ) from the message. Then, the 𝐶𝐶1 𝑐𝑐𝑐𝑐𝑐𝑐 𝑀𝑀 following computation is performed𝑥𝑥 with respect to all time , from service initiation of the 1 1 0 1 1 server𝒜𝒜 to current𝑌𝑌 time. 𝐶𝐶 𝑝𝑝 𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐 ⊕ ℋ 𝐶𝐶 𝑌𝑌∗ 1. Compute = ( || || ) and = ( || || )𝑇𝑇. ∗ ∗ 𝑘𝑘 ℋ0 𝑥𝑥 𝑖𝑖𝑖𝑖 𝑇𝑇 𝑀𝑀 ℋ0 𝑌𝑌1 𝑘𝑘 𝑐𝑐𝑐𝑐𝑐𝑐 KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1297

2. Iterate the calculation until = . The actual value shared by the server∗ and user is , so if the value of is known, the user impersonation attack can be easily𝑀𝑀 accomplished𝑀𝑀 . To interrupt this attack, the time used in the registration phase should contain a sufficiently𝑘𝑘 long random numbe𝑘𝑘 r along with time information. 𝑇𝑇

4. Our Proposed Scheme In this section, we outline our proposed dynamic ID-based authentication scheme, in which forward secrecy and forward anonymity are preserved and replay attacks are obviated using a smart card. The scheme comprises three phases: registration phase, authentication phase, and password changing phase.

Registration phase: Our scheme is defined over a finite cyclic group of prime order with as a generator. Hash functions {0,1} {0,1} are denoted by , where {0, 1, 2, 3, 4, 5} and is the output bit length of . Let∗ ( , =ℓ𝑖𝑖 mod ) denote server𝔾𝔾 ’s private key𝑞𝑞 and 𝑖𝑖 its𝑔𝑔 corresponding public key. When user→ wishes𝑥𝑥 to registerℋ his/her ID𝑖𝑖 ∈to sever , the followingℓ𝑖𝑖 operations are performed:ℋ𝑖𝑖 𝑥𝑥 𝑦𝑦 𝑔𝑔 𝑝𝑝 𝑆𝑆 1. chooses his/her . 𝑈𝑈 𝑆𝑆 2. : { }. 𝑈𝑈 𝑖𝑖𝑖𝑖 3. On receiving the registration request message from , chooses two random numbers 𝑈𝑈 ⇒ 𝑆𝑆 𝑖𝑖𝑖𝑖 and , and computes = ( ), = ( || || ) and = || ( ), where is the initial password. Then, stores ( , ) in𝑈𝑈 the𝑆𝑆 registration⋆ table. 𝑟𝑟 𝑅𝑅 𝐼𝐼𝐼𝐼 ℋ0 𝑖𝑖𝑖𝑖 𝑉𝑉𝑈𝑈 ℋ5 𝑥𝑥 𝐼𝐼𝐼𝐼 𝑅𝑅 𝑉𝑉𝑈𝑈 ℰ𝑟𝑟 𝑝𝑝𝑝𝑝0 𝑉𝑉𝑈𝑈 4. : { , , , , , , ( , , , , )( ) , }. 𝑝𝑝𝑝𝑝0 𝑆𝑆 𝐼𝐼𝐼𝐼 𝑅𝑅 ⋆ 5. On receiving the𝑈𝑈 smart card from𝑖𝑖 𝑖𝑖=0 1,2 3 4must change0 the password immediately in the password𝑆𝑆 ⇒ 𝑈𝑈 𝑆𝑆𝑆𝑆 changing�𝑟𝑟 𝑉𝑉 𝑦𝑦 phase.𝑔𝑔 𝑝𝑝 𝑞𝑞 ℋ ⋅ � 𝑝𝑝𝑝𝑝 𝑆𝑆 𝑈𝑈 Authentication phase: 1. inserts his/her smart card into the card reader, inputs his/her and , and opens a session with . 2. 𝑈𝑈 chooses a random element in , and computes = mod𝑖𝑖𝑖𝑖 . 𝑝𝑝𝑝𝑝 𝑆𝑆 3. : { , }. ∗ 𝑏𝑏 𝑆𝑆 𝑏𝑏 ℤ𝑞𝑞 𝐵𝐵 𝑔𝑔 𝑝𝑝 4. On receiving message { , } from , the smart card chooses a random element in , 𝑆𝑆 → 𝑈𝑈 𝑆𝑆 𝐵𝐵 computes = mod , = ( ) , = mod , = mod , =∗ || 𝑞𝑞 ( ), = 𝑎𝑎 𝑆𝑆 (𝐵𝐵 || || 𝑆𝑆|| ), and⋆ = 𝑎𝑎 ( || || || || 𝑎𝑎 || ||𝑎𝑎 ). ℤ 𝐴𝐴 𝑔𝑔 𝑝𝑝 𝑉𝑉𝑈𝑈 𝒟𝒟𝑟𝑟 𝑝𝑝𝑝𝑝 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝑦𝑦 𝑝𝑝 𝐾𝐾𝑈𝑈 𝐵𝐵 𝑝𝑝 𝐼𝐼𝐼𝐼 5. : { ⋆ , , }. ℋ0 𝑖𝑖𝑖𝑖 𝐼𝐼𝐼𝐼 𝐼𝐼𝐼𝐼 ⊕ ℋ3 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑆𝑆 𝐾𝐾𝑈𝑈 𝑀𝑀𝑈𝑈 ℋ1 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑈𝑈 6. On receiving⋆ message { , , } from , computes = mod , = mod , 𝑈𝑈 → 𝑆𝑆 𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀𝑈𝑈 = ( || || ⋆ || ), checks the validity of using𝑥𝑥 the registration𝑏𝑏 table. If 𝑈𝑈 𝑆𝑆 𝑆𝑆 it is invalid,⋆ the session𝐼𝐼𝐼𝐼 is𝐴𝐴 terminated.𝑀𝑀 𝑈𝑈 Otherwise,𝑆𝑆 𝑉𝑉 computes𝐴𝐴 𝑝𝑝=𝐾𝐾 ( 𝐴𝐴|| || )𝑝𝑝, 3 𝑆𝑆 𝑆𝑆 𝐼𝐼𝐼𝐼where𝐼𝐼𝐼𝐼 ⊕is ℋextracted𝐴𝐴 𝐵𝐵 𝑉𝑉from𝐾𝐾 the entry corresponding𝑖𝑖𝑖𝑖 to . Then, checks if 𝑈𝑈 5 ( || || || || || || ) is equal to . If they are𝑆𝑆 not, the session𝑉𝑉 ℋ is terminated𝑥𝑥 𝐼𝐼𝐼𝐼 𝑅𝑅 . Otherwise,𝑅𝑅 computes = ( || || || || || || ). 𝐼𝐼𝐼𝐼 𝑆𝑆 1 𝑈𝑈 𝑆𝑆 𝑆𝑆 𝑈𝑈 ℋ 𝐼𝐼𝐼𝐼: {𝑆𝑆 𝐴𝐴} 𝐵𝐵 𝑉𝑉 𝑉𝑉 𝐾𝐾 𝑀𝑀 7. . 𝑆𝑆 2 𝑈𝑈 𝑆𝑆 𝑆𝑆 𝑆𝑆 𝑀𝑀 ℋ 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉( 𝑉𝑉|| 𝐾𝐾|| || || || || ) 8. On receiving𝑆𝑆 message from , checks if is equal to 𝑆𝑆 →. If𝑈𝑈 they𝑀𝑀 are not, the session is terminated. 𝑀𝑀𝑆𝑆 𝑆𝑆 𝑈𝑈 ℋ2 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑈𝑈 𝑀𝑀𝑆𝑆 1298 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme

9. Finally, the smart card and the server compute the common session key = ( || || || || || || ) = ( || || || || || || ) 𝑠𝑠𝑠𝑠𝑈𝑈𝑈𝑈 Passwordℋ3 𝐼𝐼𝐼𝐼 changing𝑆𝑆 𝐴𝐴 𝐵𝐵 phase𝑉𝑉𝑈𝑈 𝑉𝑉:𝑆𝑆 In𝐾𝐾 𝑈𝑈our scheme,ℋ3 𝐼𝐼𝐼𝐼 the𝑆𝑆 𝐴𝐴user𝐵𝐵 can𝑉𝑉𝑈𝑈 change𝑉𝑉𝑆𝑆 𝐾𝐾𝑆𝑆 his/her password either interactively or non-interactively. Although the non-interactive procedure is simple, it may render the smart card unusable if the user enters a wrong password by mistake or an adversary intentionally inputs an arbitrary password after gaining temporary access to the smart card. Thus, we suggest the following interactive password change procedure: 1. inserts his/her smart card into the card reader and inputs his/her , old password , and new password . 2. 𝑈𝑈The smart card and the′ server perform the authentication phase with𝑖𝑖𝑖𝑖 and . If𝑝𝑝𝑝𝑝 the smart card shares the𝑝𝑝𝑝𝑝 session key successfully, it chooses a random number , computes = || ( || ( )), and updates the values of and stored𝑖𝑖𝑖𝑖 in its ′memory𝑝𝑝𝑝𝑝 to ′ and ′ , respectively′ . ⋆ ⋆ 𝑟𝑟 𝑈𝑈 𝑟𝑟 𝑝𝑝𝑝𝑝 𝑟𝑟 𝑝𝑝𝑝𝑝 𝑈𝑈 𝑈𝑈 𝑉𝑉′ ℰ ′ 𝒟𝒟 𝑉𝑉 𝑉𝑉 𝑟𝑟 𝑉𝑉𝑈𝑈 𝑟𝑟 Client Server Registration Phase: : ’s private key Select 𝑈𝑈 (= ): ’s public key 𝑆𝑆 { } 𝑥𝑥 𝑆𝑆 𝑥𝑥 𝑖𝑖𝑖𝑖 𝑦𝑦 𝑔𝑔 𝑆𝑆 𝑖𝑖𝑖𝑖 = ( ) Select two random elements and ��������������� 0 𝐼𝐼𝐼𝐼 = ℋ (𝑖𝑖𝑖𝑖|| || ) = || ( ) 𝑟𝑟 𝑅𝑅 𝑈𝑈 5 Store𝑉𝑉⋆ ℋ( ,𝑥𝑥 )𝐼𝐼𝐼𝐼 in registration𝑅𝑅 table 𝑉𝑉𝑈𝑈 ℰ𝑟𝑟 𝑝𝑝𝑝𝑝0 𝑉𝑉𝑈𝑈 Store ( , , , , , , ( , , , , )( )) in smart card {smart card, } 𝐼𝐼𝐼𝐼 𝑅𝑅⋆ 𝑟𝑟 𝑉𝑉𝑈𝑈 𝑦𝑦 𝑔𝑔 𝑝𝑝 𝑞𝑞 ℋ𝑖𝑖 𝑖𝑖=0 1 2 3 4 ⋅ 0 Authentication Phase: 𝑝𝑝𝑝𝑝 Input , ������������ ���

= 𝑖𝑖𝑖𝑖∗ 𝑝𝑝𝑝𝑝 = = = ( ) = ∗ 𝑅𝑅 𝑞𝑞 , , , 𝑅𝑅 𝑞𝑞 𝑎𝑎 ∈ ℤ 𝑎𝑎 𝑎𝑎 𝑎𝑎 { , } 𝑏𝑏 ∈ ℤ𝑏𝑏 𝐴𝐴 𝑔𝑔 𝑉𝑉𝑆𝑆 𝑦𝑦 𝐾𝐾𝑈𝑈 𝐵𝐵 𝐼𝐼𝐼𝐼 ℋ0 𝑖𝑖𝑖𝑖 𝐵𝐵 𝑔𝑔 = ( || || || ) 𝑆𝑆 𝐵𝐵 ⋆= || ( ) = , = 3 𝑆𝑆 𝑈𝑈 �⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯� 𝐼𝐼𝐼𝐼 = 𝐼𝐼𝐼𝐼(⊕ ℋ||⋆ ||𝐴𝐴 ||𝐵𝐵 ||𝑉𝑉 |𝐾𝐾| || ) 𝑥𝑥 𝑏𝑏 𝑈𝑈 𝑟𝑟 𝑝𝑝𝑝𝑝 𝑈𝑈 𝑆𝑆 𝑆𝑆 𝑉𝑉 𝒟𝒟 𝑉𝑉 { , , 𝑉𝑉} 𝐴𝐴 𝐾𝐾 𝐴𝐴 𝑈𝑈 1 𝑈𝑈 𝑆𝑆 𝑈𝑈 𝑀𝑀 ℋ 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉 𝑉𝑉 𝐾𝐾 ⋆ 𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀 𝑈𝑈 = ( || || || ) Abort if ⋆ is invalid �⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯� 3 𝑆𝑆 𝑆𝑆 Retrieve𝐼𝐼𝐼𝐼 𝐼𝐼𝐼𝐼 ⊕ fromℋ registration𝐴𝐴 𝐵𝐵 𝑉𝑉 𝐾𝐾 table = 𝐼𝐼𝐼𝐼( || || ) Abort if 𝑅𝑅 ( || || || || || || ) 𝑈𝑈 5 𝑉𝑉 = ℋ (𝑥𝑥 𝐼𝐼𝐼𝐼|| ||𝑅𝑅 || || || || ) 𝑈𝑈 1 𝑈𝑈 𝑆𝑆 𝑆𝑆 { } 𝑀𝑀 ≠ ℋ 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉 𝑉𝑉 𝐾𝐾 𝑀𝑀𝑆𝑆 ℋ2 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑆𝑆 Abort if ( || || || || || || 𝑀𝑀)𝑆𝑆 = ( || || || || || || �⎯)⎯ ⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯�= ( || || || || || || ) 𝑀𝑀𝑆𝑆 ≠ ℋ2 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑈𝑈 𝑠𝑠𝑠𝑠𝑈𝑈 ℋ0 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑈𝑈 Fig. 1. The𝑠𝑠𝑠𝑠 proposed𝑆𝑆 ℋ0 𝐼𝐼𝐼𝐼 scheme𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑆𝑆

KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1299

5. Security Analysis In this section, we describe a formal security model for dynamic ID-based authentication schemes using smart cards, and show that our scheme is secure under the computational Diffie-Hellman assumption and in the random oracle and ideal-cipher models.

5.1 Formal Security Model We adopt the security model defined by Wang et al. [10], which is based on previous work by Bellare et al. [22] and Bresson et al. [23], to define the special security requirements for password authentication schemes using smart cards.

Players. We denote a server and a client that can participate in the authenticated key exchange protocol . Each of them may have several instances, called oracles, involved in distinct, possibly concurrent, 𝑆𝑆executions of𝑈𝑈 . We denote client instances (resp. server instances) by (resp.𝑃𝑃 ), or by when we consider any kind of instance. 𝑖𝑖 𝑗𝑗 𝑃𝑃 Queries. The 𝑈𝑈adversary𝑆𝑆, , interacts𝐼𝐼 with the participants and tries to break the privacy of the key or the authentication of the players. To this aim, several queries are available to . ○ Execute( , ): This𝒜𝒜 query models passive attacks, where the adversary eavesdrops on 𝒜𝒜 honest executions𝑖𝑖 𝑗𝑗 of between and . ○ Reveal( )𝑈𝑈: This𝑆𝑆 query models the misuse𝑖𝑖 𝑗𝑗of the session key by instance . The query is only available to if𝑃𝑃 the attacked𝑈𝑈 instance𝑆𝑆 actually holds a session key and it releases to 𝐼𝐼. 𝐼𝐼 ○ Send( , ): This 𝒜𝒜query models sending a message to instance . receives the 𝑠𝑠𝑠𝑠response𝒜𝒜 generates in processing the message according to the protocol in return. In our𝐼𝐼 scheme,𝑚𝑚 a query Send( , Start𝒜𝒜 ) initializes the key exchange algorithm,𝐼𝐼 𝒜𝒜 and thus the adversary𝐼𝐼 receives the flow𝑗𝑗 the server should𝑚𝑚 send to the client. 𝑃𝑃 ○ Corrupt( , ): This query models𝑆𝑆 the corruption capability of the adversary. can indeed steal/break either one of the two authentication factors of clients, but not both. A similar process𝐼𝐼 𝑎𝑎 goes on in the private key or the registration table of the server. 𝒜𝒜 − If = 1, it outputs password, . − If = 2, it outputs the parameter stored in the smart card. 𝑎𝑎 𝑈𝑈′𝑠𝑠 𝑝𝑝𝑝𝑝 − If = 3, it outputs all pairs of ( , ⋆ ) in the registration table. 𝑎𝑎 𝑉𝑉𝑈𝑈 − If = 4, it outputs the private key of . 𝑎𝑎 𝐼𝐼𝐼𝐼 𝑅𝑅 Semantic Security.𝑎𝑎 The privacy of the session𝑥𝑥 key𝑆𝑆 is modeled by the game Gameake( , ), in which one more query is available to the adversary: Test( ). The Test( )-query can be asked at most once by adversary and is only available to if the session key 𝒜𝒜is 𝑃𝑃not obviously known to . This query is answered as follows: one 𝐼𝐼flips a coin 𝐼𝐼 and forward (the value Reveal( ) outputs) if =𝒜𝒜1, or a random value if =𝒜𝒜0. In playing this game, the goal of the adversary𝒜𝒜 is to guess the bit involved in the Test( )-query, by𝑏𝑏 outputting this𝑠𝑠𝑠𝑠 guess . We denote𝐼𝐼 AKE Advantage𝑏𝑏 as the probability that 𝑏𝑏 correctly guesses the value . More precisely′ , we define it by Adv 𝑏𝑏( ) = 2 Pr[ = ] 𝐼𝐼1. Protocol is said to be AKE-secure𝑏𝑏 if such a probability is negligibleake in the security′ 𝒜𝒜parameter. 𝑏𝑏 𝒫𝒫 𝒜𝒜 𝑏𝑏 𝑏𝑏 − 𝑃𝑃 Authentication. Another goal of the adversary is to impersonate the client or the server. We denote by Succauth( ) the probability that successfully impersonates an instance of in

𝑃𝑃 𝒜𝒜 𝒜𝒜 𝑈𝑈 1300 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme the execution of . Protocol is said to be Auth-secure if such a probability is negligible in the security parameter. 𝑃𝑃 𝑃𝑃 Computational Diffie-Hellman Assumption. A ( , )-CDH , attacker, in a finite cyclic group of prime order with as a generator, is a probabilistic machine running in time 𝑔𝑔 𝔾𝔾 cdh 𝑡𝑡 𝜀𝜀 such that its success probability, Succ , ( ), given random elements and to output , 𝔾𝔾 𝑞𝑞 𝑔𝑔 cdh ( ) 𝑥𝑥 𝛥𝛥 𝑦𝑦 𝑥𝑥𝑥𝑥𝑡𝑡 is greater than . As usual, we denote𝑔𝑔 𝔾𝔾 by Succ , the maximal success probability over 𝛥𝛥 𝑔𝑔 𝑔𝑔 cdh 𝑔𝑔 every adversaries running within time . The CDH-Assumption states that Succ , ( ) for 𝜀𝜀 𝑔𝑔 𝔾𝔾 𝑡𝑡 any is not overly large. 𝑡𝑡 𝑔𝑔 𝔾𝔾 𝑡𝑡 ≤ 𝜀𝜀 5.2 Security𝑡𝑡⁄𝜀𝜀 Proof Semantic Security. The following theorem shows that the proposed scheme securely distributes session keys under the reasonable and well-defined intractability assumptions.

Theorem 1. Let be the above protocol and Password be a finite dictionary of size equipped with a uniform distribution. Let be an adversary against the AKE security of within a time bound𝑃𝑃 , with less than interactions with the parties and passive𝑁𝑁 eavesdroppings, and asking hash-queries𝒜𝒜 and encryption/decryption-queries. Then, we𝑃𝑃 𝑠𝑠 𝑝𝑝 have 𝑡𝑡 𝑞𝑞 𝑞𝑞 ℎ 𝑒𝑒 𝑞𝑞 ( 𝑞𝑞 + ) ( + 4 + + )2 Adv ( ) + 4 cdh( ) + + , Succ 2 1 ℎ 𝑠𝑠2 𝑝𝑝 𝑒𝑒 ake 𝑞𝑞𝑠𝑠 ′ 𝑞𝑞𝑠𝑠 𝑞𝑞𝑝𝑝 𝑞𝑞 𝑞𝑞 𝑞𝑞 𝑞𝑞 𝒫𝒫 𝒜𝒜 ≤ 𝑞𝑞ℎ 𝔾𝔾 𝑡𝑡 ℓ where + ( + 𝑁𝑁+ 1) with denoting𝑞𝑞 − { , , , } and denoting the computational′ time for an exponentiation in . 𝑡𝑡 ≤ 𝑡𝑡 𝑞𝑞𝑠𝑠 𝑞𝑞𝑝𝑝 ⋅ 𝜏𝜏𝔾𝔾 ℓ 𝑚𝑚𝑚𝑚𝑚𝑚 ℓ1 ℓ2 ℓ3 ℓ4 𝜏𝜏𝔾𝔾 Proof. We prove this theorem through a sequence𝔾𝔾 of games beginning with the real protocol and ending up with a game where adversary ’s advantage is zero. The details of the proof can be found in Appendix A.1. □ 𝒜𝒜 Authentication. The following theorem shows that the proposed scheme further ensures mutual authentication, in the sense that neither a server instance nor a client instance will accept an authenticator that has not been actually sent by the related instance with probability significantly greater than / .

Theorem 2. Let be the𝑞𝑞𝑠𝑠 above𝑁𝑁 protocol and Password be a finite dictionary of size equipped with a uniform distribution. Let be an adversary against the mutual authentication within𝑃𝑃 a time bound , with less than interactions with the parties and 𝑁𝑁 passive eavesdropping, and asking hash-queries𝒜𝒜 and encryption/decryption-queries. 𝑠𝑠 𝑝𝑝 Then, we have 𝑡𝑡 𝑞𝑞 𝑞𝑞 ℎ 𝑒𝑒 𝑞𝑞 ( + ) 𝑞𝑞 ( + 4 + + )2 Adv ( ) + cdh( ) + + , Succ 2 2 2( 1) ℎ 2𝑠𝑠 𝑝𝑝 𝑒𝑒 auth 𝑞𝑞𝑠𝑠 ′ 𝑞𝑞𝑠𝑠 𝑞𝑞𝑝𝑝 𝑞𝑞 𝑞𝑞 𝑞𝑞 𝑞𝑞 𝒫𝒫 𝒜𝒜 ≤ 𝑞𝑞ℎ 𝔾𝔾 𝑡𝑡 ℓ+1 where + ( + +𝑁𝑁1) with denoting𝑞𝑞 − { , , , } and denoting the computational′ time for an exponentiation in . 𝑡𝑡 ≤ 𝑡𝑡 𝑞𝑞𝑠𝑠 𝑞𝑞𝑝𝑝 ⋅ 𝜏𝜏𝔾𝔾 ℓ 𝑚𝑚𝑚𝑚𝑚𝑚 ℓ1 ℓ2 ℓ3 ℓ4 𝜏𝜏𝔾𝔾 Proof. The proof of this theorem is similar to𝔾𝔾 the previous one. The details of the proof can be found in Appendix A.2. □ KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1301

5.3 Resistance to Possible Attacks

User anonymity and forward anonymity: Even if attacker eavesdrops on a message { , , , , } between user and server during the authentication phase, and moreover, even if∗ knows the server's private key , has to know random𝒜𝒜 number , chosen by the 𝑈𝑈 𝑆𝑆 user𝐵𝐵 𝐼𝐼𝐼𝐼, or 𝐴𝐴random𝑀𝑀 𝑀𝑀 number , chosen by the server in order to acquire from . Otherwise, has to𝒜𝒜 solve a discrete logarithm problem𝑥𝑥 𝒜𝒜 to acquire from under the𝑎𝑎 condition∗ that the attacker does not know𝑏𝑏 or . Thus, the proposed scheme provides∗𝐼𝐼𝐼𝐼 user anonymity𝐼𝐼𝐼𝐼 , user untr𝒜𝒜 aceability and forward anonymity. 𝐼𝐼𝐼𝐼 𝐼𝐼𝐼𝐼 𝑎𝑎 𝑏𝑏 Forward secrecy: Even if an adversary eavesdrops on a message { , , , , } between user and server during the authentication phase, and even if knows∗ the server's 𝑈𝑈 𝑆𝑆 private key and the confidential information𝒜𝒜 , has to know random 𝐵𝐵number𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀, chosen𝑀𝑀 by the user, or random number , chosen by the server, in order to acquire𝒜𝒜 . Otherwise, has to solve𝑥𝑥 a discrete logarithm problem to acquire𝑉𝑉𝑈𝑈 𝒜𝒜 . Thus, the proposed scheme𝑎𝑎 provides forward secrecy. 𝑏𝑏 𝑠𝑠𝑠𝑠 𝒜𝒜 𝑠𝑠𝑠𝑠 Smart card loss attack (user impersonation attack): is protected by the secured one-way hash function so that server can detect this easily if the attacker cannot calculate a 𝑈𝑈 valid , even when the attacker has managed to tamper𝑀𝑀 with a legitimate user's authentication message. Moreover, even𝑆𝑆 if confidential information , stored in the smart 𝑈𝑈 card is𝑀𝑀 exposed, the correct cannot be acquired if the attacker does not∗ know the password. Consequently, a valid cannot be calculated. Thus, the proposed scheme𝑉𝑉𝑈𝑈 is secure against smart card loss and user impersonation𝑉𝑉𝑈𝑈 attacks. 𝑀𝑀𝑈𝑈 Replay attack: Unlike other schemes in which service denial attacks can succeed by exceeding the allocated number of online attempts using retransmission of captured login request messages, the proposed scheme uses the server's ephemeral public key, which is changed in every session, for conversion so that retransmission of captured messages cannot increase the number of attempts∗ because it cannot identify the user of the particular session. Thus, replay attacks will𝐼𝐼𝐼𝐼 fail.

Key compromise impersonation attacks: Let us assume that attacker has stolen the server's private key . However, does not know random number for user , which is stored in the registration table, so cannot calculate ( || || ) correct𝒜𝒜ly and cannot be impersonated. 𝑥𝑥 𝒜𝒜 𝑅𝑅 𝑈𝑈 𝒜𝒜 ℋ5 𝑥𝑥 𝐼𝐼𝐼𝐼 𝑅𝑅 𝑈𝑈 6. Performance Analysis In Table 2, we provide a comparative summary of relevant dynamic ID-based forward security preserving authentication schemes, including our proposed scheme. The schemes are compared in terms of computation, communication, and security. We assume that the identities are 32-bit long random numbers and that the outputs of the one-way hash function are 128-bit long. Further, we assume that public key parameters , y, and are 1024-bit, is 128-bit long, and the elliptic curve point is 160-bit long. Let , , , and denote the time complexity for exponential operation, symmetric𝑝𝑝 encryption/decryption,𝑔𝑔 𝑞𝑞 hash function evaluation, and scalar-point multiplication, respectively.𝑇𝑇𝐸𝐸 𝑇𝑇𝑆𝑆 𝑇𝑇𝐻𝐻 𝑀𝑀 During𝑇𝑇 the authentication phase in our scheme, the total computation cost of the user and 1302 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme server is 6 + 1 + 10 and the communication cost is 2464(= 32 + 3 × 128 + 2 × 1024) bits. Our scheme is more efficient than Horng et al.’s and is no less efficient than Wang et al.’s. Furthermore,𝑇𝑇𝐸𝐸 𝑇𝑇𝑆𝑆 it provides𝑇𝑇𝐻𝐻 forward anonymity and resists both smart card loss attacks and replay attacks, whereas Horng et al.’s, Wu et al.’s, and Wang et al.’s schemes are susceptible to such attacks.

Table 2. Comparative summary of relevant forward security preserving authentication schemes Scheme Computation Comm. Security cost cost SKS FS UA FA RSCL RR Our scheme 6 + 1 + 10 2464 bits Yes Yes Yes Yes Yes Yes Horng et al. [5] 7 + 4 + 8 2432 bits Yes Yes Yes No No No 𝐸𝐸 𝑆𝑆 𝐻𝐻 Wu et al. [8] 4𝑇𝑇 + 8𝑇𝑇 𝑇𝑇 864 bits Yes Yes Yes No No No 𝐸𝐸 𝑆𝑆 𝐻𝐻 Wang et al. [10] 6𝑇𝑇 + 14𝑇𝑇 𝑇𝑇 2560 bits Yes Yes Yes No Yes No 𝑇𝑇𝑀𝑀 𝑇𝑇𝐻𝐻 SKS: session key security; FS: forward secrecy; UA: user anonymity; FA: forward anonymity; 𝑇𝑇𝐸𝐸 𝑇𝑇𝐻𝐻 RSCL: Resistance to smart card loss attacks; RR: Resistance to replay attacks

7. Conclusion In this paper, we demonstrated that three dynamic ID-based authentication schemes that preserve forward secrecy cannot guarantee forward anonymity and can be vulnerable to replay attacks because they use static long-term keys instead of the server’s ephemeral keys to generate dynamic IDs. We then presented an adversary model that incorporates forward secrecy against active attackers according to the extreme-adversary principle and proposed a dynamic ID-based authentication scheme in which forward secrecy and forward anonymity are preserved and replay attacks can be obviated through retransmission of the authentication messages. We subsequently proved that our scheme is provably secure under the computational Diffie-Hellman assumption and in the random oracle and ideal-cipher models.

References [1] M. L. Das, A. Saxena and V. P. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, vol. 50, no. 2, pp. 629-631, 2004. Article (CrossRef Link). [2] A. K. Awasthi and S. Lal, “Security analysis of a dynamic ID-based remote user authentication scheme,” IACR Cryptology ePrint Archive, 2004. Article (CrossRef Link). [3] I. Liao, C. Lee and M. Hwang, “Security enhancement for a dynamic ID-based remote user authentication scheme,” in Proc. of Int. Conf. on Next Generation Web Services Practices, 2005. Article (CrossRef Link). [4] H. Chien and C. Chen, “A remote authentication scheme preserving user anonymity,” in Proc. of 19th Int. Conf. on Advanced Information Networking and Applications, pp.245-248, 2005. Article (CrossRef Link). [5] W. Horng, C. Lee and J. Peng, “A secure remote authentication scheme preserving user anonymity with non-tamper resistant smart cards,” WSEAS Transactions on Information Science and Applications, vol. 7, no. 5, pp. 619-628, 2010. Article (CrossRef Link). [6] J. Tsai, T. Wu and K. Tsai, “New dynamic ID authentication scheme using smart cards,” International Journal of Communication Systems, vol. 23, no. 12 pp. 1449-1462, 2010. Article (CrossRef Link). KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1303

[7] M. K. Khan, S. Kim and K. Alghathbar, “Cryptanalysis and security enhancement of a `more efficient & secure dynamic ID-based remote user authentication scheme',” Computer Communications, vol. 34, no. 3. pp. 305-309, 2011. Article (CrossRef Link). [8] S. Wu, Y. Zhu and Q. Pu, “Robust smart-cards-based user authentication scheme with user anonymity,” Security and Communication Networks, vol. 5, no. 2, pp. 236-248, 2012. Article (CrossRef Link). [9] C. Ma, D. Wang and Q. Zhang, “Cryptanalysis and improvement of Sood et al.’s dynamic ID-based authentication scheme,” Distributed Computing and Internet Technology, pp. 141-152, 2012. Article (CrossRef Link). [10] D. Wang, C. Ma, P. Wang and Z. Chen, “Robust smart card based password authentication scheme against smart card security breach,” IACR Cryptology ePrint Archive, 2012. Article (CrossRef Link). [11] C. Liu and C. Ma, “An efficient and provable secure pake scheme with robust anonymity,” Information Computing and Applications, 2012. Article (CrossRef Link). [12] T. Cao and J. Zhai, “Improved dynamic ID-based authentication scheme for telecare medical information systems,” Journal of medical systems, vol. 37, no. 2, pp. 1-7, 2013. Article (CrossRef Link). [13] W. Juang, S. Chen and H. Liaw, “Robust and efficient password-authenticated key agreement using smart cards,” IEEE Transactions on Industrial Electronics, vol. 55, no. 6, pp. 2551-2556, 2008. Article (CrossRef Link). [14] D. Sun, J. Huai, J. Sun, J. Li, J. Zhang and Z. Feng, “Improvements of Juang’s password- authenticated key agreement scheme using smart cards,” IEEE Transactions on Industrial Electronics, vol. 56, no. 6, pp. 2284-2291, 2009. Article (CrossRef Link). [15] X. Li, W. Qiu, D. Zheng, K. Chen and J. Li, “Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards,” IEEE Transactions on Industrial Electronics, vol. 57, no. 2, pp. 793-800, 2010. Article (CrossRef Link). [16] C. Chang, H. Le and C. Chang, “Novel untraceable authenticated key agreement protocol suitable for mobile communication,” Wireless personal communications, vol. 71, no. 1, pp. 425-437, 2013. Article (CrossRef Link). [17] Q. Jiang, J. Ma, Z. Ma and G. Li, “A privacy enhanced authentication scheme for telecare medical information systems,” Journal of medical systems, vol. 37, no. 1, pp. 1-8, 2013. Article (CrossRef Link). [18] Q. Jiang, J. Ma, G. Li and L. Yang, “Robust two-factor authentication and key agreement preserving user privacy,” IJ Network Security vol. 16, no. 3, pp. 229-240, 2014. Article (CrossRef Link). [19] W. Diffie, P. C. Van Oorschot and M.J. Wiener, “Authentication and authenticated key exchanges,” Designs, codes and cryptography, vol. 2, no. 2, pp. 107-125, 1992. Article (CrossRef Link). [20] F. Hao, “On robust key agreement based on public key authentication,” Financial Cryptography and Data Security, pp. 383-390, 2010. Article (CrossRef Link). [21] H. Krawczyk, “HMQV: A high-performance secure Diffie-Hellman protocol,” Advances in Cryptology-CRYPTO 2005, pp. 546-566, 2005. Article (CrossRef Link). [22] M. Bellare, D. Pointcheval and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” Advances in Cryptology-Eurocrypt 2000, pp. 139-155, 2000. Article (CrossRef Link). [23] E. Bresson, O. Chevassut and D. Pointcheval, “Security proofs for an efficient password-based key exchange,” in Proc. of 10th ACM conf. on Computer and communications security, pp. 241-250, 2003. Article (CrossRef Link).

1304 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme

A. Proof of Theorems

A.1 Proof of Theorem 1 Proof. In this proof, for simplicity, we do not consider forward secrecy. We incrementally define a sequence of games starting at the real game G0 and ending up at G8. For each Gn ( = 0, 1, … , 8), we define the following events: ○ S occurs if correctly guesses the bit involved in the Test-query. 𝑛𝑛 ○ Encrypt occurs if submits data it has encrypted by itself using the password. 𝑛𝑛 𝒜𝒜 𝑏𝑏 ○ Auth occurs𝑛𝑛 if submits an authenticator that is accepted by the server and that has been built by the𝒜𝒜 adversary itself. 𝑛𝑛 𝒜𝒜 𝐴𝐴𝐴𝐴𝐴𝐴ℎ Game G0: This is the real protocol in the random oracle and ideal-cipher models. Several oracles are thus available to the adversary: six hash oracles ( (with {0, 1, 2, 3, 4, 5}) and all the instances and (in order to cover concurrent executions). By definition, 𝑖𝑖 𝑖𝑖 𝑗𝑗 ℋ 𝑖𝑖 ∈ 𝑈𝑈 𝑆𝑆 Adv ( ) = 2 Pr[S ] 1. (1) ake In the games below, we further assume𝒫𝒫 that when the0 game aborts or stops with no answer outputted by adversary , we choose this𝒜𝒜 bit at random,− which in turn defines the actual value′ of the event, S . Moreover, if the adversary′ has not finished playing the game after 𝑏𝑏Send-queries or lasts for more𝒜𝒜 than time , we stop𝑏𝑏 the game (and choose a random bit ), 𝑘𝑘 𝑠𝑠 where and are predetermined upper bounds. 𝑞𝑞′ 𝑡𝑡 𝑏𝑏 𝑠𝑠 Game 𝑞𝑞G1: In 𝑡𝑡this game, we simulate the hash oracles, , and five additional hash functions (with {0, 1, 2, 3, 4} that will appear in Game G6) and the encryption/decryption oracles, 𝑖𝑖 as ′usual by maintaining a hash list (and another list ℋ containing the hash-queries asked 𝑖𝑖 byℋ the adversary𝑖𝑖 ∈ itself) (see Fig. 2) and an encryption list (and another list containing the encryption/decryption-queries 𝛬𝛬askedℋ by the adversary𝛬𝛬𝒜𝒜 itself). We also simulate all the instances, as the real players would, for the Send-queries𝛬𝛬 andℰ for the Execute𝛬𝛬,𝒟𝒟 Reveal and Test-queries (see Fig. 3). From this simulation, it is clear that the game is perfectly indistinguishable from the real attack.

Pr[S ] = Pr[S ]. (2)

1 0 Game G2: In this game, we avoid collisions among the hash-queries asked by the adversary to (with {1, 2, 3, 4}) , among the password and the ciphertexts, and among the Send-queries’ output. We play the game in such a manner that no collision is found by the 𝑖𝑖 adversaryℋ 𝑖𝑖for∈ , at most one password corresponds to each plaintext-ciphertext pair, and abort if two instances of the server or client have used the same random values. This will help us later on to proveℋ𝑖𝑖 Lemma 1, the key step in proving Theorem 1. We use the following rules:

► Rule ( ) Choose a random element {0, 1} . If {1, 2, 3, 4}, this query is directly asked by the adversary,2 and ( , , ) , then we abort ℓthe𝑖𝑖 game. 𝓗𝓗 − 𝑟𝑟 ∈ 𝑖𝑖 ∈ 𝒜𝒜 Then, for any , #{( , ,𝑖𝑖 ∗) 𝑟𝑟 ∈ 𝛬𝛬} 1. However, this rule may cause the game to abort with probability bounded by . 𝑟𝑟 𝑖𝑖 ∗ 2𝑟𝑟 ∈ 𝛬𝛬𝒜𝒜 ≤ 𝑞𝑞ℎ ℓ+1 2 KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1305

For a hash-query ( ) (resp. with ( )), such that a record ( , , ) appears in (resp. ), the answer is . Otherwise, answer is defined according′ to the following rule: ′ 𝑖𝑖 𝑖𝑖 ℋ ℋ ► Rule ( ) ℋ Choose𝑞𝑞 a randomℋ element𝑞𝑞 {0,1} . 𝑖𝑖 𝑞𝑞 𝑟𝑟 𝛬𝛬 𝛬𝛬 The𝑟𝑟 record ( , 1, ) is added𝑟𝑟 to . (resp. ). If the queryℓ𝑖𝑖 is directly asked by the adversary, ( , , ) is added to . 𝓗𝓗 − ′ 𝑟𝑟 ∈ 𝑖𝑖 𝑞𝑞 𝑟𝑟 𝛬𝛬ℋ 𝛬𝛬ℋ 𝑖𝑖 𝑞𝑞 𝑟𝑟 For an Encryption-query ( ), such that a record ( , , , ) appears in , the answer is . 𝛬𝛬𝒜𝒜 Otherwise, answer is defined according to the following rule:⋆ ⋆ ( ) 𝑘𝑘 ℰ ► Rule Choose⋆ ℰ a random𝑍𝑍 element {0𝑘𝑘,1𝑍𝑍} ∗. 𝑍𝑍 𝛬𝛬 𝑍𝑍 The record ( 1, , ,𝑍𝑍 ) is added to . If the ⋆query is ℓdirectly4 asked by the adversary, ( , , , ) is added to . 𝓔𝓔 − ⋆ 𝑍𝑍 ∈ ⋆ ℰ For a Decryption𝑘𝑘 𝑍𝑍 -ℰquery𝑍𝑍 ( ), such𝛬𝛬 that a record ( , , , ) appears in , the answer is 𝑘𝑘. 𝑍𝑍 ℰ 𝑍𝑍 𝒟𝒟 Otherwise𝛬𝛬 , answer is defined according to the following rule:⋆ 𝑘𝑘 ℰ ► Rule ( ) Choose 𝒟𝒟a random𝑍𝑍 element {0,𝑘𝑘1}𝑍𝑍 .∗ 𝑍𝑍 𝛬𝛬 𝑍𝑍 The record 1( , , 𝑍𝑍, ) is added to . If the⋆ query isℓ4 directly asked by the adversary, ( , , , ) is added to . 𝓓𝓓 − ⋆ 𝑍𝑍 ∈ ⋆ 𝑘𝑘 𝑍𝑍 𝒟𝒟 𝑍𝑍 𝛬𝛬ℰ 𝑘𝑘 𝑍𝑍 𝒟𝒟 𝑍𝑍 𝒟𝒟 Fig. 2. Simulation of the random oracles and encryption/decryption oracles 𝛬𝛬

We answer the Send-queries to the server as follows: − A Send( , Start)-query is processed according to the following rule: ► Rule (𝑗𝑗 ) Choose a random element and compute = . Then, the query𝑆𝑆 1 is answered with ( , ), and the server∗ instance goes to 𝜑𝜑an expected state. 𝑞𝑞 − If instance𝐒𝐒𝐒𝐒 − is in an expecting state, a query𝜑𝜑 Send∈ ℤ ( , ( , , 𝐵𝐵) is 𝑔𝑔processed according to the following rule: ► Rule 𝑗𝑗( ) Compute = 𝑆𝑆 𝐵𝐵, = , =𝑗𝑗 ⋆ ( || || || ), and = ( || || ). ( ) 𝑈𝑈 ► Rule 𝑆𝑆 1 If ( ||𝑥𝑥 || || ||𝜑𝜑 || 𝑆𝑆 || 𝐼𝐼𝐼𝐼)⋆, the𝐴𝐴 𝑀𝑀instance terminates without accepting. ( ) 𝑆𝑆 𝑆𝑆 3 𝑆𝑆 𝑆𝑆 𝑈𝑈 4 ► Rule 𝐒𝐒𝐒𝐒 1 − Do nothing.𝑉𝑉 𝐴𝐴 𝐾𝐾 𝐴𝐴 𝐼𝐼𝐼𝐼 𝐼𝐼𝐼𝐼 ⊕ ℋ 𝐴𝐴 𝐵𝐵 𝑉𝑉 𝐾𝐾 𝑉𝑉 ℋ 𝑥𝑥 𝐼𝐼𝐼𝐼 𝑅𝑅 ( ) 𝑈𝑈 1 𝑈𝑈 𝑆𝑆 𝑆𝑆 ► Rule 𝐒𝐒𝐒𝐒 1 − Compute𝑀𝑀 ≠ ℋ authenticator𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉= 𝑉𝑉( 𝐾𝐾|| || || || || || ) and session key 𝐒𝐒𝐒𝐒 1 − = ( || || || || || || ). 𝑆𝑆 2 𝑈𝑈 𝑆𝑆 𝑆𝑆 Finally, the𝐒𝐒𝐒𝐒 query− is answered with , the 𝑀𝑀instanceℋ acc𝐼𝐼𝐼𝐼epts𝑆𝑆 and𝐴𝐴 𝐵𝐵terminates.𝑉𝑉 𝑉𝑉 𝐾𝐾 𝑆𝑆 0 𝑈𝑈 𝑆𝑆 𝑆𝑆 Our simulation also 𝑠𝑠𝑠𝑠adds ((ℋ, 𝐼𝐼𝐼𝐼), ( 𝑆𝑆 ,𝐴𝐴 ,𝐵𝐵 𝑉𝑉), 𝑉𝑉) to𝐾𝐾 . 𝑀𝑀𝑆𝑆 We answer the Send-queries to the client⋆ as follows: 𝑆𝑆 𝐵𝐵 𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀𝑈𝑈 𝑀𝑀𝑆𝑆 𝛬𝛬𝛹𝛹 − A Send( , ( , ))-query is processed according to the following rule: ► Rule 𝑖𝑖 ( ) Choose a random element and compute = . 𝑈𝑈 (𝑆𝑆) 𝐵𝐵 ► Rule 1 Compute = ( ), = ∗ , = , = 𝜃𝜃 ( || || || ), and the 𝐔𝐔𝐔𝐔 − 𝜃𝜃 ∈ ℤ𝑞𝑞 𝐴𝐴 𝑔𝑔 1 authenticator = ⋆( || || 𝜃𝜃|| || || 𝜃𝜃|| ⋆). 𝑈𝑈 𝑝𝑝𝑝𝑝 𝑈𝑈 𝑆𝑆 𝑈𝑈 3 𝑆𝑆 𝑈𝑈 Then, the query𝐔𝐔𝐔𝐔 is− answered with𝑉𝑉 ( 𝒟𝒟 , ,𝑉𝑉 )𝑉𝑉, and 𝑦𝑦the client𝐾𝐾 instance𝐵𝐵 𝐼𝐼𝐼𝐼 goes𝐼𝐼𝐼𝐼 to⊕ anℋ expected𝐴𝐴 𝐵𝐵 𝑉𝑉state.𝐾𝐾 𝑈𝑈 1 𝑈𝑈 𝑆𝑆 𝑈𝑈 Our simulation also adds (( , ), (𝑀𝑀 ⋆, ℋ, 𝐼𝐼𝐼𝐼), )𝑆𝑆 to𝐴𝐴 𝐵𝐵. 𝑉𝑉 𝑉𝑉 𝐾𝐾 𝑈𝑈 − If instance is in an expecting 𝐼𝐼𝐼𝐼state,⋆ 𝐴𝐴 a𝑀𝑀 query Send( , ) is processed by computing the session key and 𝑈𝑈 𝛹𝛹 producing an authenticator.𝑖𝑖 𝑆𝑆We𝐵𝐵 apply𝐼𝐼𝐼𝐼 the𝐴𝐴 𝑀𝑀following⊥ rules:𝛬𝛬 𝑖𝑖 𝑆𝑆 ► Rule 𝑈𝑈( ) If ( || || || || || || 𝑈𝑈 )𝑀𝑀, the instance terminates without accepting. ( ) ► Rule 1 Do nothing. ( ) 𝑆𝑆 2 𝑈𝑈 𝑆𝑆 𝑈𝑈 ► Rule 𝐔𝐔𝐔𝐔 1 − Compute𝑀𝑀 ≠ ℋ session𝐼𝐼𝐼𝐼 𝑆𝑆key𝐴𝐴 𝐵𝐵 =𝑉𝑉 𝑉𝑉( 𝐾𝐾|| || || || || || ). The instance𝐔𝐔 𝐔𝐔terminates1 − with accepting. 𝐔𝐔𝐔𝐔 − 𝑠𝑠𝑠𝑠𝑈𝑈 ℋ0 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑈𝑈 An Execute( , )-query is processed successively using the simulations of the Send-queries: ( , ) Send(𝑖𝑖 𝑗𝑗, Start), ( , , ) Send( , ( , )) and Send( , ( , , )), and outputting the transcript𝑈𝑈 (( 𝑆𝑆𝑗𝑗, ), ( , , ⋆ ), ). 𝑖𝑖 𝑗𝑗 ⋆ 𝑈𝑈 𝑆𝑆 𝑈𝑈 A𝑆𝑆 Reveal𝐵𝐵 ←( ) -query𝑆𝑆 returns⋆ 𝐼𝐼𝐼𝐼the session𝐴𝐴 𝑀𝑀 key← computed𝑈𝑈 𝑆𝑆by𝐵𝐵 the instance𝑀𝑀 ← (if the𝑆𝑆 latter𝐼𝐼𝐼𝐼 has𝐴𝐴 accepted).𝑀𝑀 𝑈𝑈 𝑆𝑆 A Test(I)-query 𝑆𝑆first𝐵𝐵 gets𝐼𝐼𝐼𝐼 𝐴𝐴 from𝑀𝑀 Reveal𝑀𝑀 ( ), and flips a coin . If = 1, we return the value of the session key . Otherwise𝐼𝐼 , we return a random value drawn from {0,1} . 𝐼𝐼 𝑠𝑠𝑠𝑠 Fig.𝐼𝐼 3. Simulation ℓof0 𝑏𝑏 the𝑏𝑏 queries 𝑠𝑠𝑠𝑠

1306 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme

► Rule ( ) Choose a random element {0,1} . If ( , , , ) , we abort the game. ► Rule (2 ) Choose a random element ⋆ {0,1} ℓ4. If ( , , , ⋆) , we abort the game. ℰ 𝓔𝓔 2 − 𝑍𝑍 ∈ ℓ4 ∗ 𝑍𝑍 ∗ 𝑍𝑍⋆ ∈ 𝛬𝛬 ℰ Then, for𝓓𝓓 any− pair ( , ), #{( , , , 𝑍𝑍 ∈) } 1∗. However,𝑍𝑍 ∗ 𝑍𝑍 ∈ 𝛬𝛬this rule may cause the game to abort with probability⋆ bounded by⋆ , where is the size of . 𝑍𝑍 𝑍𝑍 ∗ 𝑍𝑍 ∗ 𝑍𝑍 ∈2 𝛬𝛬ℰ ≤ 𝑞𝑞ℰ ℓ4+1 ℰ ℰ ► Rule ( ) Choose a random element 2 and compute𝑞𝑞 = . If (𝛬𝛬, ) , we abort 2 ( , ) ∗ 𝜑𝜑 the game. Otherwise, we add the record to𝑞𝑞 . Variable keeps track of the messages𝑆𝑆 sent by server𝐒𝐒𝐒𝐒 .− 𝜑𝜑 ∈ ℤ 𝐵𝐵 𝑔𝑔 ∗ 𝐵𝐵 ∈ 𝛬𝛬 𝑆𝑆 𝑆𝑆 ► Rule ( ) Choose a random element 𝑗𝑗 𝐵𝐵 𝛬𝛬and compute 𝛬𝛬 = . If ( , ) , we abort 2𝑆𝑆 ( , ) ∗ 𝜃𝜃 the game. Otherwise, we add the record to𝑞𝑞 . Variable keeps track of the messages𝑈𝑈 sent by client𝐔𝐔𝐔𝐔 . − 𝜃𝜃 ∈ ℤ 𝐴𝐴 𝑔𝑔 ∗ 𝐴𝐴 ∈ 𝛬𝛬 𝑈𝑈 𝑈𝑈 𝑖𝑖 𝐴𝐴 𝛬𝛬 𝛬𝛬 Then, no collision𝑈𝑈 occurs among the outputted by the client instances and among the outputted by the server instances. However, this rule may cause the game to abort with ( ) 𝐴𝐴 𝐵𝐵 probability bounded by ( )2. 𝑞𝑞𝑠𝑠+𝑞𝑞𝑝𝑝 Games G2 and G1 are 2perfectly𝑞𝑞−1 indistinguishable unless one of the above rules causes the game to abort: ( ) |Pr[S ] Pr[S ]| + + . (3) 2 2 ( )2 𝑞𝑞ℎ 𝑞𝑞ℰ 𝑞𝑞𝑠𝑠+𝑞𝑞𝑝𝑝 ℓ+1 ℓ4+1 2 − 1 ≤ 2 2 2 𝑞𝑞−1 Game G3: We define game G3 by aborting the game wherein the adversary may guess the correct authenticator or (that is, without asking the corresponding hash-query or ). We achieve this objective by modifying the manner in which the participants process the queries: 𝑀𝑀𝑈𝑈 𝑀𝑀𝑆𝑆 ℋ1 ℋ2 ► Rule ( ) If ( , ), ( , , ), and (1, || || || || || || , ) , then we abort 3the game. ⋆ 𝑈𝑈 𝛹𝛹 𝑈𝑈 𝑆𝑆 𝑆𝑆 𝑈𝑈 𝒜𝒜 ► Rule 𝐒𝐒𝐒𝐒 ( ) − If � (𝑆𝑆 ,𝐵𝐵 ), (𝐼𝐼𝐼𝐼 ,𝐴𝐴 ,𝑀𝑀 ),∗� ∉ 𝛬𝛬 and (𝐼𝐼𝐼𝐼2, 𝑆𝑆||𝐴𝐴|| 𝐵𝐵|| 𝑉𝑉|| 𝑉𝑉|| 𝐾𝐾|| 𝑀𝑀, ∉)𝛬𝛬 , then we abort3 the game. ⋆ 𝑈𝑈 𝑆𝑆 𝛹𝛹 𝑈𝑈 𝑆𝑆 𝑈𝑈 𝑆𝑆 𝒜𝒜 𝐔𝐔𝐔𝐔 − � 𝑆𝑆 𝐵𝐵 𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀 𝑀𝑀 � ∉ 𝛬𝛬 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉 𝑉𝑉 𝐾𝐾 𝑀𝑀 ∉ 𝛬𝛬 This rule ensures that all accepted authenticators, and , are from either the simulator, or an adversary that has correctly computed , and asked queried oracle or . Games 𝑈𝑈 𝑆𝑆 G3 and G2 are perfectly indistinguishable unless 𝑀𝑀the server𝑀𝑀 rejects a valid authenticator. 𝑈𝑈 1 2 Because neither nor appeared in a previous𝑉𝑉 session (since game G2), thisℋ happensℋ only if the authenticator had been correctly guessed by the adversary without asking ( || || || |𝐴𝐴| || 𝐵𝐵|| ) or ( || || || || || || ):

ℋ1 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑆𝑆 ℋ2 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑈𝑈 |Pr[S ] Pr[S ]| min{ , }. (4) 𝑞𝑞𝑠𝑠 ℓ1 ℓ2 3 2 2 Game G4: We define game G4 by aborting− the executions≤ wherein the adversary guessed the correct parameter, , without asking the corresponding query. We achieve this objective by modifying the manner in which the participants process the queries: 𝑉𝑉𝑈𝑈 ► Rule ( ) If (( , ), ( , , ), ) and either (1, || || || || || , ) or (( , , ,4) and (4, ||⋆ || , ) ), then we abort the game. 𝑈𝑈 𝛹𝛹 𝑈𝑈 𝑈𝑈 𝒜𝒜 ► Rule 𝐒𝐒𝐒𝐒 ( ) − If ((𝑆𝑆 ,𝐵𝐵 ), (𝐼𝐼𝐼𝐼 ,𝐴𝐴 ,𝑀𝑀 ),∗ ∉) 𝛬𝛬 and either (𝐼𝐼𝐼𝐼2, 𝑆𝑆||𝐴𝐴|| 𝐵𝐵|| 𝑉𝑉|| ∗||𝑀𝑀, ∉) 𝛬𝛬 or 𝑈𝑈 𝒟𝒟 𝑈𝑈 𝒜𝒜 ∗ ∗ 𝑉𝑉 ∗4 ∉ 𝛬𝛬 ∗ 𝐼𝐼𝐼𝐼⋆ ∗ 𝑉𝑉 ∉ 𝛬𝛬 𝐔𝐔𝐔𝐔 − 𝑆𝑆 𝐵𝐵 𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀𝑈𝑈 𝑀𝑀𝑆𝑆 ∉ 𝛬𝛬𝛹𝛹 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 ∗ 𝑀𝑀𝑆𝑆 ∉ 𝛬𝛬𝒜𝒜 KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1307

(( , , , ) and (4, || || , ) ), then we abort the game.

∗ ∗ 𝑉𝑉𝑈𝑈 ∗ ∉ 𝛬𝛬𝒟𝒟 ∗ 𝐼𝐼𝐼𝐼 ∗ 𝑉𝑉𝑈𝑈 ∉ 𝛬𝛬𝒜𝒜 Games G4 and G3 are perfectly indistinguishable unless (1, || || || || || || , ) , (1, || || || || || , ) , (2, || || || || || || , ) , or (2, || || || || || , ) . Because neither nor appeared𝐼𝐼𝐼𝐼 in𝑆𝑆 a𝐴𝐴 previous𝐵𝐵 𝑉𝑉𝑈𝑈 session𝑉𝑉𝑆𝑆 𝐾𝐾𝑆𝑆 𝑀𝑀(since𝑈𝑈 ∉ 𝒜𝒜 𝑈𝑈 𝑈𝑈 𝒜𝒜 𝑈𝑈 𝑆𝑆 𝑈𝑈 𝑆𝑆 𝒜𝒜 𝛬𝛬game G𝐼𝐼𝐼𝐼2), this𝑆𝑆 𝐴𝐴happens𝐵𝐵 𝑉𝑉 only∗ 𝑀𝑀 if parameter∉ 𝛬𝛬 𝐼𝐼𝐼𝐼 had𝑆𝑆 been𝐴𝐴 𝐵𝐵 correctly𝑉𝑉 𝑉𝑉 𝐾𝐾guessed𝑀𝑀 ∉by𝛬𝛬 the adversary𝐼𝐼𝐼𝐼 𝑈𝑈 𝑆𝑆 𝒜𝒜 𝑆𝑆without𝐴𝐴 𝐵𝐵 asking𝑉𝑉 ∗ 𝑀𝑀 (∉ 𝛬𝛬) or ( | | ): 𝐴𝐴 𝐵𝐵 𝑈𝑈 ⋆ 𝑉𝑉 𝑝𝑝𝑝𝑝 𝑈𝑈 4 𝒟𝒟 𝑉𝑉 ℋ 𝑥𝑥� 𝐼𝐼𝐼𝐼|Pr[�S𝑅𝑅 ] Pr[S ]| . (5) 𝑞𝑞𝑠𝑠 ℓ4 4 3 2 Game G5: We define game G5 by aborting− the executions≤ wherein the adversary may have correctly computed parameter , used it to build a valid authenticator or , and impersonate as a client or server. We achieve this objective by modifying the manner in which the participants process the queries:𝑉𝑉𝑈𝑈 𝑀𝑀𝑈𝑈 𝑀𝑀𝑆𝑆

► Rule ( ) If (( , ), ( , , ), ) and either (1, || || || || || , ) or ( , , ,5) and 4, |⋆ | , , then we abort the game. Further, if 𝐒𝐒𝐒𝐒 − 𝑆𝑆 𝐵𝐵 𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀𝑈𝑈 ∗ ∉ 𝛬𝛬𝛹𝛹 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 ∗ 𝑀𝑀𝑈𝑈 ∉ 𝛬𝛬𝒜𝒜 (( , ), ( , , ), ) , we define the event Auth to be true, and abort the game. � ∗ ∗ 𝑉𝑉𝑈𝑈 ∗ ∉ 𝛬𝛬𝒟𝒟 � ∗ � 𝐼𝐼𝐼𝐼 � ∗ 𝑉𝑉𝑈𝑈� ∉ 𝛬𝛬𝒜𝒜� ► Rule ( ) ⋆ If (( , ), ( , , ), ) and either (2, || || || || || , ) or 𝑆𝑆 𝐵𝐵 𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀𝑈𝑈 ∗ ∉ 𝛬𝛬𝛹𝛹 5 ( , , , 5) and 4, |⋆ | , , then we abort the game. Further, if 𝐔𝐔𝐔𝐔 − 𝑆𝑆 𝐵𝐵 𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀𝑈𝑈 𝑀𝑀𝑆𝑆 ∉ 𝛬𝛬𝛹𝛹 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 ∗ 𝑀𝑀𝑆𝑆 ∉ 𝛬𝛬𝒜𝒜 (( , ), ( , , ), ) , we define event Auth to be true, and abort the game. � ∗ ∗ 𝑉𝑉𝑈𝑈 ∗ ∉ 𝛬𝛬𝒟𝒟 � ∗ � 𝐼𝐼𝐼𝐼 � ∗ 𝑉𝑉𝑈𝑈� ∉ 𝛬𝛬𝒜𝒜� This rule ensures⋆ that all accepted authenticators, and , are from the simulator. 𝑆𝑆 𝐵𝐵 𝐼𝐼𝐼𝐼 𝐴𝐴 𝑀𝑀𝑈𝑈 𝑀𝑀𝑆𝑆 ∉ 𝛬𝛬𝛹𝛹 5 Games G5 and G4 are perfectly indistinguishable unless ( , , , ) or (4, || || 𝑈𝑈 𝑆𝑆 , ) , which leads to event Auth being true: 𝑀𝑀 𝑀𝑀 𝑈𝑈 𝒟𝒟 ′ ∗ ∗ 𝑉𝑉 ∗ ∉ 𝛬𝛬 ∗ 𝐼𝐼𝐼𝐼 ∗ 𝑈𝑈 𝒜𝒜 5 𝑉𝑉 ∉ 𝛬𝛬 |Pr[S ] Pr[S ]| Pr[Auth ]. (6) ′ 5 4 5 Game G6: In this game, we replace −random oracle≤ (with i {0, 1, 2, 3}) with private oracles . Because we no longer need to compute the values , , , and , we can also 𝑖𝑖 simplify the′ manner in which the participants process theℋ queries: ∈ ℋ𝑖𝑖 𝐾𝐾𝑈𝑈 𝐾𝐾𝑆𝑆 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 ► Rule ( ) Compute = ( || ). ► Rule (6) If ( ||⋆ || || ′), the instance terminates without accepting. 3 ► Rule 𝐒𝐒𝐒𝐒(6) − Compute authenticator𝐼𝐼𝐼𝐼′ 𝐼𝐼𝐼𝐼⋆ ⊕ ℋ =𝐴𝐴 𝐵𝐵 ( || || || ) and session key = 𝑈𝑈 1 ( 𝐒𝐒𝐒𝐒||6 |−| || 𝑀𝑀). ≠ ℋ 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 ′ ⋆ 𝑆𝑆 2 𝑆𝑆 ► Rule′ 𝐒𝐒𝐒𝐒⋆ ( ) − Compute = 𝑀𝑀 ( |ℋ| ) 𝐼𝐼𝐼𝐼and authenticator𝑆𝑆 𝐴𝐴 𝐵𝐵 = ( 𝑠𝑠𝑠𝑠|| || || ). 0 ► ℋRule𝐼𝐼𝐼𝐼 (𝑆𝑆6) 𝐴𝐴 If𝐵𝐵 (⋆ || || || ′), the instance terminates without accepting.′ ⋆ 3 𝑈𝑈 1 ► Rule 𝐔𝐔𝐔𝐔(6) − Compute session𝐼𝐼𝐼𝐼′ ⋆ 𝐼𝐼𝐼𝐼 key⊕ ℋ =𝐴𝐴 𝐵𝐵( || || || ). 𝑀𝑀 ℋ 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑆𝑆 2 𝐔𝐔𝐔𝐔 6 − 𝑀𝑀 ≠ ℋ 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 ′ ⋆ 𝐔𝐔𝐔𝐔 − 𝑠𝑠𝑠𝑠𝑈𝑈 ℋ0 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 Games G6 and G5 are indistinguishable unless the following event, AskH , occurs: queries the hash functions or on || || || || || || or on || || || || || || that is on || || || || || ||CDH( , ): 6 𝒜𝒜 ℋ1 ℋ2 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐾𝐾𝑈𝑈 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴|Pr𝐵𝐵[Auth𝑉𝑉𝑈𝑈 𝑉𝑉]𝑆𝑆 𝐾𝐾Pr𝑆𝑆 [Auth ]| 𝐼𝐼𝐼𝐼Pr𝑆𝑆[AskH𝐴𝐴 𝐵𝐵], 𝑉𝑉 𝑈𝑈 |𝑉𝑉Pr𝑆𝑆 [S ] 𝐴𝐴Pr𝐵𝐵[S ]| Pr[AskH ]. (7) ′ ′ 6 5 6 6 5 6 − ≤ − ≤ 1308 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme

Lemma 1. The probabilities of the events S and Auth in game G6 can be upper-bounded by the following values: ′ 6 6

Pr[S ] = , Pr[Auth ] min{ , } + . (8) 1 ′ 3𝑞𝑞𝑠𝑠 𝑞𝑞𝑠𝑠 ℓ1 ℓ2 6 2 6 2 2𝑁𝑁 Proof. In game G6, the session keys are computed with≤ private hash oracles unknown to , and thus Pr[S ] = . Let us denote by ( ) the set of received by a server instance, and by 𝒜𝒜 ( ) the set of 1 received by a client instance. Because we have avoided cases where 6 2 𝑅𝑅 𝑆𝑆 𝑀𝑀𝑈𝑈 correctly guessed , can correctly compute using Corrupt( , 1), Corrupt( , 2), 𝑆𝑆 𝑅𝑅Corrupt𝑈𝑈 ( , 3), 𝑀𝑀or Corrupt( , 4) -queries with probability denoted 𝑖𝑖 by Pr[Auth Corr𝑖𝑖 𝒜𝒜] , 𝑈𝑈 𝑈𝑈 Pr[Auth Corr𝑖𝑖 ], Pr𝑉𝑉[Auth𝒜𝒜 Corr𝑗𝑗 ], and Pr[Auth Corr𝑉𝑉 ], respectively.𝑈𝑈 From an information𝑈𝑈 ′ 6 1 theoretical𝑈𝑈 point′ of view, since𝑆𝑆 ′we have avoided collisions′ in game G2, 6 2 6 3 6 4 Pr[Auth ] = Pr[Auth Corr ] + Pr[Auth Corr ] + Pr[Auth Corr ] + Pr[Auth Corr ], Pr[Auth′ Corr ] ,′ ′ ′ ′ 6 min6{ , }1 6 2 6 3 6 4 ′ 𝑞𝑞𝑠𝑠 Pr[Auth Corr ] Pr ℓ1 ℓ2 ( ), ( ), (1, || || || || || , ) 6 1 ≤ 2 ′ + Pr ( ), (∗ ), (2, || || || || || , ) 6 2 𝑝𝑝𝑝𝑝 𝑈𝑈 𝑝𝑝𝑝𝑝 𝑈𝑈 𝑈𝑈 𝒜𝒜 ≤ # ( ) �#∃𝑀𝑀( ) ∈ 𝑅𝑅 𝑆𝑆 𝑉𝑉 ← 𝒟𝒟 𝑉𝑉 ∗ 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉 ∗ 𝑀𝑀 ∉ 𝛬𝛬 � 𝑝𝑝𝑝𝑝 ,𝑆𝑆 𝑝𝑝𝑝𝑝 𝑈𝑈 𝑆𝑆 𝒜𝒜 𝑅𝑅 𝑆𝑆 + �𝑅𝑅∃𝑈𝑈𝑀𝑀 ∈ 𝑅𝑅 𝑈𝑈 𝑉𝑉 ← 𝒟𝒟 𝑉𝑉 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉 ∗ 𝑀𝑀 ∉ 𝛬𝛬 � Pr[Auth Corr ] , ≤ min{ 𝑁𝑁, } ′ 𝑞𝑞𝑠𝑠 Pr[Auth Corr ] ℓ1 ℓ2 . 6 3 ≤ 2min{ , } ′ 𝑞𝑞𝑠𝑠 ℓ1 ℓ2 6 4 ≤ 2 By definition of the set # ( ) and # ( ), since is received in the second query to the server, and is received in the second query to the client, the cardinalities are both 𝑈𝑈 upper-bounded by 2. 𝑅𝑅 𝑆𝑆 𝑅𝑅 𝑈𝑈 𝑀𝑀 □ 𝑀𝑀𝑆𝑆 𝑠𝑠 Game G7: In this game,𝑞𝑞 ⁄ we simulate the executions using the random self-reducibility of the Diffie-Hellman problem, given one CDH instance ( , ). We do not need to know the values of and , since the values and are no longer needed to compute the authenticators and the session keys: 𝑃𝑃 𝑄𝑄 𝜃𝜃 𝜑𝜑 𝐾𝐾𝑈𝑈 𝐾𝐾𝑆𝑆 ► Rule ( ) Choose a random element . Compute = and add record ( , ) to . (7 ) ∗ = 𝛽𝛽 ( , ) ► Rule Choose a random element 𝑞𝑞 . Compute and add record to 𝐵𝐵. 𝐒𝐒𝐒𝐒 7 − 𝛽𝛽 ∈ ℤ ∗ 𝐵𝐵 𝑔𝑔 𝛼𝛼 𝛽𝛽 𝐵𝐵 𝛬𝛬 𝑞𝑞 𝐴𝐴 𝐔𝐔𝐔𝐔 − Pr[AskH𝛼𝛼]∈=ℤPr[AskH ]. 𝐴𝐴 𝑔𝑔 𝛼𝛼 𝐴𝐴 𝛬𝛬 (9)

7 6 Remember that AskH signifies adversary had queried random oracles , , or on || || || || || ||CDH( , ). By choosing randomly in the -list we can obtain the 7 0 1 2 Diffie-Hellman secret value with probability 1𝒜𝒜 . This is a triple ( , , CDH(ℋ, ℋ)). We canℋ 𝐼𝐼𝐼𝐼 𝑆𝑆 𝐴𝐴 𝐵𝐵 𝑉𝑉𝑈𝑈 𝑉𝑉𝑆𝑆 𝐴𝐴 𝐵𝐵 𝛬𝛬𝐴𝐴 then simply look in lists and to find values and such that = and = : ℎ ⁄𝑞𝑞 𝐴𝐴 𝐵𝐵 𝛼𝛼 𝐴𝐴 𝐵𝐵 𝛽𝛽 CDH𝛬𝛬𝐴𝐴 ( , 𝛬𝛬)𝐵𝐵 = CDH , 𝛼𝛼 = CDH𝛽𝛽 ( , ) 𝐴𝐴. 𝑔𝑔 𝐵𝐵 𝑔𝑔 Thus: 𝛼𝛼 𝛽𝛽 𝛼𝛼𝛼𝛼 Pr𝐴𝐴 [𝐵𝐵AskH ] �𝑃𝑃 Succ𝑄𝑄 cdh� ( ), 𝑃𝑃 𝑄𝑄 (10) ′ where + ( + + 1) . 7 ≤ 𝑞𝑞ℎ 𝔾𝔾 𝑡𝑡 ′ 𝑡𝑡 ≤ 𝑡𝑡 𝑞𝑞𝑠𝑠 𝑞𝑞𝑝𝑝 ⋅ 𝜏𝜏𝔾𝔾 KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 10, NO. 3, March 2016 1309

Conclusion of the proof: The proof is completed by summing all the relations. Simply note that is the size of , which contains all the encryption/decryption-queries directly asked by the adversary, and all the decryption-queries made by our simulation: at most one per Send𝑞𝑞-ℰquery (direct or𝛬𝛬ℰ through Execute-queries), which gives + + . From Equations (1)-(7), ℰ 𝑠𝑠 𝑝𝑝 𝑒𝑒 𝑞𝑞 ≤ 𝑞𝑞 𝑞𝑞 𝑞𝑞 |Pr[ ] Pr[ ]| + + + + + Pr[ ] + Pr[ ] S S 2 2 ( )2 min{ , } Auth AskH 𝑞𝑞ℎ 𝑞𝑞ℰ �𝑞𝑞𝑠𝑠+𝑞𝑞𝑝𝑝� 𝑞𝑞𝑠𝑠 𝑞𝑞𝑠𝑠 ′ ℓ+1 ℓ4+1 ℓ1 ℓ2 ℓ4 6 − 0 ≤ 2 2 2 𝑞𝑞−+1 2 + Pr[ 2 ] + 2 Pr[5 ] 6 2 2 ( )2 Auth AskH . 𝑞𝑞ℎ+�𝑞𝑞𝑠𝑠+𝑞𝑞𝑝𝑝+𝑞𝑞𝑒𝑒� +4𝑞𝑞𝑠𝑠 �𝑞𝑞𝑠𝑠+𝑞𝑞𝑝𝑝� ′ ℓ+1 6 6 From Equations (8)-(10)≤ , we get2 2 𝑞𝑞−1

Pr[Auth ] + , Pr[AskH ] Succcdh( ), (10) ′ 3𝑞𝑞𝑠𝑠 𝑞𝑞𝑠𝑠 ′ ℓ which concludes the proof. 6 ≤ 2 2 𝑁𝑁 6 ≤ 𝑞𝑞 ℎ 𝔾𝔾 𝑡𝑡 □

A.2 Proof of Theorem 2 Proof. We can use the same proof presented in the previous section here, because

Adv ( ) = Pr[Auth ], auth 𝒫𝒫 0 and see that in game G5, Pr[Auth ] = 0, and𝒜𝒜 Equations (2) to (7) extend to

5 Pr[Auth ] = Pr[Auth ],

|Pr[ ] Pr[ 1]| + 0 + , Auth Auth 2 2 ( )2 𝑞𝑞ℎ 𝑞𝑞ℰ �𝑞𝑞𝑠𝑠+𝑞𝑞𝑝𝑝� |Pr[ ] Pr[ ]| ℓ+1 ℓ,4+1 Auth2 − Auth1 ≤ 2min{ , 2} 2 𝑞𝑞−1 𝑞𝑞𝑠𝑠 |Pr[Auth ] Pr[Auth ]| , ℓ1 ℓ2 3 2 2 − ≤ 𝑞𝑞𝑠𝑠 |Pr[Auth ] Pr[Auth ]| Prℓ4[Auth ]. 4 3 2 − ≤ ′ Then, we get 5 − 4 ≤ 5

2 2 Adv ( ) + + + + + Pr[ ] + Pr[ ], 4+1 ( )2 min{ , } 4 Auth AskH 𝑠𝑠 𝑝𝑝 auth 𝑞𝑞ℎ 𝑞𝑞ℰ �𝑞𝑞 +𝑞𝑞 � 𝑞𝑞𝑠𝑠 𝑞𝑞𝑠𝑠 ′ ′ 𝒫𝒫 ℓ+1 ℓ ℓ1 ℓ2 ℓ 6 6 which concludes𝒜𝒜 the≤ proof,2 using2 Equation2 𝑞𝑞−1 (11).2 2 □

1310 Lee et al.: Forward Anonymity-Preserving Secure Remote Authentication Scheme

Hanwook Lee received the B.E. degree in Computer Engineering from Kyungpook National University, Korea, in 1996 and the M.S. degree from POSTECH, Korea, in 1998. Since 1998 he has been a researcher at Korea Financial Telecommunications and Clearings Institute. He is currently a Ph.D. student at Sungkyunkwan University, Korea. His research interests include cryptography and information security.

Junghyun Nam received the B.E. degree in Information Engineering from Sungkyunkwan University, Korea, in 1997. He received his M.S. degree in Computer Science from University of Louisiana, Lafayette, in 2002, and the Ph.D. degree in Computer Engineering from Sungkyunkwan University, Korea, in 2006. He is now a professor in Konkuk University, Korea. His research interests include cryptography and computer security.

Moonseong Kim received the M.S. degree in Mathematics, August 2002 and the Ph.D. degree in Electrical and Computer Engineering, February 2007 both from Sungkyunkwan University, Korea. He was a research professor at Sungkyunkwan University in 2007. From December 2007 to October 2009, he was a visiting scholar in ECE and CSE, Michigan State University, USA. Since October 2009, he has been a patent examiner in Information and Communication Examination Bureau, Korean Intellectual Property Office (KIPO), Korea. His research interests include wired/wireless networking, sensor networking, mobile computing, network security protocols, and simulations/numerical analysis.

Dongho Won received BSC, MSC and PhD in Electronic Engineering from Sungkyunkwan University, South Korea. After working in Electronics and Telecommunication Research Institute for two years, he joined Sungkyunkwan University, where he is currently a leader professor at Information and Communication Engineering. He also served as a President of Korea Institute of Information Security and Cryptography. His research interests are cryptology and information security.