a secure three-factor multiserver authentication protocol...

Research ArticleA Secure Three-Factor Multiserver Authentication Protocolagainst the Honest-But-Curious Servers

Hua Guo12 Chen Chen3 Ya Gao4 Xiong Li 56 and Jiongchao Jin7

1 School of Cyber Science and Technology Beihang University Beijing 100191 China2Hefei Innovation Institute Beihang University Anhui 230012 China3Informatization Office of Beihang University Beijing 100191 China4Beijing Key Laboratory of Network Technology Beihang University Beijing 100191 China5School of Computer Science and Engineering Hunan University of Science and Technology Xiangtan 411201 China6Guangxi Key Laboratory of Trusted Software Guilin University of Electronic Technology Guilin 541004 China7School of Computer Science and Engineering Beihang University Beijing 100191 China

Correspondence should be addressed to Xiong Li lixiongzhq163com

Received 13 April 2018 Revised 26 July 2018 Accepted 26 August 2018 Published 13 September 2018

Academic Editor Ding Wang

Copyright copy 2018 HuaGuo et alThis is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Three-factor multiserver authentication protocols become a prevalence in recent years Among these protocols almost all of themdo not involve the registration center into the authentication process To improve the protocolrsquos efficiency a common secret keyis shared among all severs which leads to a serious weakness ie we find that these protocols cannot resist the passive attackfrom the honest-but-curious servers This paper takes Wang et alrsquos protocol as an example to exhibit how an honest-but-curiousserver attacks their protocol To remedy this weakness a novel three-factor multiserver authentication protocol is presented Byintroducing the registration center into the authentication process the new protocol can resist the passive attack from the honest-but-curious servers Security analyses including formal and informal analyses are given demonstrating the correctness and validityof the new protocol Compared with related protocols the new protocol possesses more secure properties and more practicalfunctionalities than others at a relatively low computation cost and communication cost

1 Introduction

Nowadays with the rapid development of networks remotecommunication becomes increasingly prevalent and provideshighly useful services in many aspects Consequently com-munication security significantly attracts publicrsquos attentionCryptographic authentication allows users to submit theircredentials and acquire authorization to access the variousonline services from remote networks [1ndash5] Since Lamport[6] firstly proposed a password-based remote authenticationprotocol great quantities of authentication protocols wereproposed to make up continued emerging problems andprovide authorized communication between remote entitiesHowever the traditional protocols gradually cannot catchup with the pace of increasing demand for more usersand servers in communication Multiserver authentication

schemes became the mainstream because most of the prac-tical communication environments are based on severalservers to alleviate the pressure of the increasing number ofusers

Lots of authentication protocols for multiserver environ-ments were proposed to satisfy the security requirementsand provide versatile functionalities to make the schememore convenient and practical to utilize in real occasions[7ndash20] In 2001 Li et al [7] proposed a remote multiserverauthentication protocol with no verification table which wasfound insecure by Lin et al [8] They also presented animproved protocol while it was vulnerable to impersonationattack [9] Juang et al [10] adopted symmetric-key cryptosys-tem to propose a multiserver authentication protocol but itwas cracked soon In 2004 a novel protocol was presentedby Chang and Lee [11] However all of them ignored user

HindawiWireless Communications and Mobile ComputingVolume 2018 Article ID 3284324 14 pageshttpsdoiorg10115520183284324

2 Wireless Communications and Mobile Computing

anonymity [12] In 2009 a remote multiserver authenticationscheme which satisfies anonymity property was proposed[13] but it does not have forward security [14] BesidesHsiang and Shih [15] presented a new protocol to resistvarious attacks however some drawbacks on mutual authen-tication are pointed out [16] Recently a big breakthrough iethe inner relationships of evaluation criteria for anonymoustwo-factor authentication protocol is explored by Wang etal [17] To improve the security of remote communicationsmart card gradually came into use in authentication whichmade it possible for more convenient authentication andcommunication Some remote authentication protocols formultiserver environment with a smart card were proposedbut proved to be insecure in the end [21ndash23]

Relying on smart card and password as the authenticationmethod already cannot meet todayrsquos needs In the latest fewyears more and more authentication protocols adopt bio-metrics messages in mutual authentication to strengthen thesecurity and enhance the efficiency of the existing protocolsIn 2010 Yang et al [24] introduced a three-factor multiserverauthentication protocol Unfortunately the protocol has lowcomputation efficiency and cannot resist the insider attack Liet al proposed an efficient protocol [25] which allows users tochange the password and the calculation cost is lowHowevertheir scheme cannot provide appropriate certification andfailed to resist man-in-the-middle attack [26] Adoptingelliptic curve cryptography Yoon et al [27] in 2011 designeda novel protocol unfortunately Kim et al [28] showed thatYoon et al [27] protocol is insecure In 2014 Chuang etal [29] put forward an anonymous protocol but Mishraet al [30] broke their protocol Later Lu et al [31] foundthat there are several weaknesses in Mishra et alrsquos improvedprotocol and they also presented an improved protocolwhich is broken by Reddy et al [32] Meanwhile Wang etal [33] also found that Mishra et alrsquos improved protocolis insecure Regrettably some weaknesses in Wang et alrsquosprotocol [33] were shown by Yang et al [24] and Reddy etal [34] separately Recently Jiang et al [35] and He et alput forwardmultiserver authenticated protocols using ellipticcurve cryptography(ECC) separately Unfortunately Odeluet al found that there are flaws in He et als protocol inlogin and password change phases and can not resist theimpersonation attack

All of the above three-factor multiserver authenticationprotocols can be categorized into two classes ie the pro-tocols which implement the authentication independent ofthe registration center and the protocols which need thehelp of the registration center in the authentication phaseAfter carefully examining the known three-factormultiserverauthentication protocols we find that almost all of the firstkind of protocols cannot resist the passive attack from anhonest-but-curious server since all servers share a commonsecret key More precisely an honest-but-curious server cancompute session keys which are shared between a userand other servers by eavesdropping messages transmittingbetween the users and other servers In this paper we takeWang et alrsquos protocol as an example to show how an honest-but-curious server obtains a session key which should be keptsecret from him Moreover we find some other drawbacks

in their protocol For example in the reregister or revocationphase a user can still use his original password to login andsend message even if he is revoked

To resist the passive attack from the honest-but-curiousservers a trivial solution is to distribute different secretkeys to different severs which would aggravate the userrsquosstorage burden Another method is introducing the regis-tration center into the authentication phase to deal withsecret messages As we mentioned above such protocols arebased on either ECCor symmetric encryption cryptosystemswhich heavily affect the computation efficiency To balancethe security problem brought by the honest-but-curiousservers and the efficiency problem brought by involving theregistration center into the authentication we propose a novelmultiserver authentication protocol In authentication phaseof new protocol the involved registration center only adoptshash and XOR operations for the computation instead ofECC and symmetric cryptosystem thus greatly improvingthe protocolrsquos computation efficiency As far as we known thisis the first time to consider the passive attack from honest-but-curious servers for multiserver authentication protocolsMoreover the new protocol is the first protocol which onlyadopts hash and XOR operations for computation wheninvolving the registration center into the authentication

The remaining of the paper is organized as followsSection 2 reviews and analyzes the security of Wang et alrsquosprotocol In Section 3 we present the new three-factor mul-tiserver authentication scheme in detail Section 4 providesthe formal and informal secure analysis of the new protocolIn Section 5 comparisons including security functionalitiescomputation cost and communication cost are conductedThe last section gives a conclusion

2 Some Weakness of Wang et alrsquos Scheme

We firstly give the details about Wang et alrsquos protocol andthen show how an honest-but-curious server attacks theirprotocol step by step

21 Review of Wang et alrsquos Protocol Wang et alrsquos protocolinvolves five phases ie registration phase login phaseauthentication phase password changing phase and revoca-tionreregistration phase which are executed by the user 119880119894the server 119878119895 and the registration center119877119862The symbols andnotations are listed in Table 1 Assume 119877119862 is a trusted thirdparty which is able to register for users and servers

Registration Phase(i) Registration phase of server

(a) 119878119895 sends a request message to 119877119862(b) 119877119862 authorizes 119878119895 once it receives the message

and returns 119875119878119870 (preshared key) to 119878119895 securely(c) 119878119895 uses 119875119878119870 to check 119880119894rsquos legitimacy in authen-

tication phase

(ii) Registration phase of user

(a) The new user 119880119894 inserts 119878119862119894 into the cardreader inputs 119868119863119894 119875119882119894 and imprints 119861119894 at the

Wireless Communications and Mobile Computing 3

Table 1 Symbols and notations in Wang et alrsquos scheme

119880119894 the 119894th user119878119895 the 119895th server119877119862 registration centre119868119863119894 119880119894 rsquos identity119860119868119863119894 119880119894 rsquos dynamic identity119878119868119863119895 119878119895rsquos identity119878119862119894 119880119894rsquos smart card119875119882119894 119880119894 rsquos password119861119868119874119894 119880119894rsquos biometrics119877119894 119880119894 rsquos nearly random binary string119875119878119870 pre-shared key between server and registration centre119909 master secret key between user and registration centreoplus exclusive ORℎ( ) one-way hash function|| concatenating operation

sensor After that (119877119894 119875119894) is extracted from 119861119868119874119894through 119866119890119899(119861119868119874119894) larr997888 (119877119894 119875119894) Finally 119880119894calculates 119877119875119882119894 = ℎ(119875119882119894 119877119894) and sends119868119863119894119877119875119882119894 to 119877119862 securely

(b) 119877119862 generates lt 119868119863119894 119873119894 = 1 gt and stores it tothe database Note that 119873119894 indicates the state of119880119894rsquos account When 119880119894 revokes his account 119877119862sets 119873119894 = 0 When 119880119894 reregisters his account119877119862 sets 119873119894 = 119873119894 + 1 After that 119877119862 calculates119860 119894 = ℎ(119868119863119894 119909 119879119903) 119861119894 = 119877119875119882119894 oplus ℎ(119860 119894)119862119894 = 119861119894 oplus ℎ(119875119878119870) 119863119894 = 119875119878119870 oplus 119860 119894 oplus ℎ(119875119878119870)and 119881119894 = ℎ(119868119863119894 119877119875119882119894) where 119879119903 is the time ofregistration Finally 119877119862 sends 119861119894 119862119894 119863119894 119881119894 to119880119894 securely

(c) 119880119894 receives 119861119894 119862119894 119863119894 119881119894 from 119877119862 stores119861119894 119862119894 119863119894 119881119894 119875119894 into 119878119862119894 and stores 119875119894 in 119878119862119894

Login Phase

(i) 119880119894 inputs 119868119863119894 and119875119882119894 with hisher smart card 119878119862119894 andimprints 119861119868119874lowast119894 at the sensor

(ii) 119878119862119894 calculates 119877119894 = 119877119890119901(119861119868119874lowast119894 119875119894) and 119877119875119882119894 =ℎ(119875119882119894 119877119894) After that 119878119862119894 checks whether ℎ(119868119863119894 119877119875119882119894) = 119881119894 holds or not If it is right 119878119862119894 computesℎ(119875119878119870) = 119861119894 oplus 119862119894

(iii) 119878119862119894 calculates 119860119868119863119894 = ℎ(1198731) oplus 119868119863119894 after choosing arandom number 1198731 After that 119878119862119894 computes1198721 =119877119875119882119894oplusℎ(119875119878119870)oplus1198731 and1198722 = ℎ(119860119868119863119894 1198731 119877119875119882119894 119878119868119863119895 119879119894) where 119879119894 is a timestamp

(iv) 119878119862119894 sends 119861119894 11986311989411987211198722 119860119868119863119894 119879119894 to 119878119895

Authentication Phase

(i) 119878119895 checks whether 119879119894 minus 119879119895 le Δ119879 Note that 119879119895 is thetime that 119878119895 receives the loginmessage andΔ119879meansthe time interval

(ii) If the verification is valid 119878119895 calculates 119860 119894 = 119875119878119870 oplus119863119894 oplus ℎ(119875119878119870) 119877119875119882119894 = ℎ(119860 119894) oplus 119861119894 and 1198731 = 1198721 oplus

119877119875119882119894 oplus ℎ(119875119878119870) and checks whether ℎ(119860119868119863119894 1198731 119877119875119882119894 119878119868119863119895 119879119894) = 1198722

(iii) If this verification is valid 119878119895 chooses a randomnumber 1198732 and calculates 119878119870119894119895 = ℎ(119860119868119863119894 119878119868119863119895 1198731 1198732) as the session secret key Then 119878119895 computes1198723 = ℎ(119875119878119870)oplusℎ(119860119868119863119894 1198731)oplus1198732 and1198724 = ℎ(119878119868119863119895 1198732 119860119868119863119894) Finally 119878119895 returns 11987231198724 119878119868119863119895 to 119880119894

(iv) 119878119862119894 calculates 1198732 = ℎ(119875119878119870) oplus ℎ(119860119868119863119894 1198731) oplus 1198723and 119878119870119894119895 = ℎ(119860119868119863119894 119878119868119863119895 1198731 1198732) and checkswhether ℎ(119878119868119863119895 1198732 119860119868119863119894) = 1198724 If it is valid 119878119862119894calculates1198725 = ℎ(119878119870119894119895 1198731 1198732) and sends1198725 to119878119895

(v) 119878119895 checks whether the condition ℎ(119878119870119894119895 1198731 1198732)matches with 1198725 If holds 119878119895 confirms the sessionkey 119878119870119894119895 Otherwise 119878119895 terminates the session imme-diately

Password Change Phase

(i) 119880119894 inserts hisher smart card inputs 119868119863119894 and119875119882119894 andimprints 119861119868119874lowast119894

(ii) 119878119862119894 retires 119877119894 from 119877119890119901(119861119868119874lowast119894 119875119894) and computes119877119875119882119894 = ℎ(119875119882119894 119877119894) Then 119878119862119894 checks whetherℎ(119868119863119894 119877119875119882119894) matches with 119881119894 If it holds 119880119894 caninput the new password

(iii) 119880119894 inputs the new password 119875119882119899119894 and 119878119862119894 calculates119877119875119882119899119894 = ℎ(119875119882119899119894 119877119894) 119861

119899119894 = 119861119894 oplus 119877119875119882119894 oplus 119877119875119882

119899119894

119862119899119894 = 119862119894 oplus 119877119875119882119894 oplus 119877119875119882119899119894 and 119881

119899119894 = ℎ(119868119863119894 119877119875119882

119899119894 )

(iv) 119878119862119894 displaces 119861119894 with 119861119899119894 119862119894 with 119862

119899119894 and 119881119894 with 119881

119899119894

respectively

Revocation and Reregistration Phase

(i) If119880119894 is revoked he needs to send verification message119877119875119882119894 to 119877119862 securely

(ii) 119877119862 checks the validity of 119880119894 If 119880119894 is a valid user 119877119862sets lt 119868119863119894 119873119894 = 0 gt


(iii) 119877119862 follows the user registration phase and uses lt119868119863119894119873119894 = 119873119894 + 1 gt to replace lt 119868119863119894119873119894 gt

22 Analysis of Wang et alrsquos Protocol This subsection ana-lyzesWang et alrsquos protocol and shows how tomount a passiveattack by an honest-but-curious server

221 Passive Attack from an Honest-But-Curious ServerIn this attack an honest-but-curious server (say 119878119895) onlypassively eavesdrops messages between the user119880119894 and otherservers so that he can obtain the session keys shared by theuser 119880119894 and other servers which should be kept secret from119878119895 using his secret key and eavesdropping messages Moreprecisely suppose a user 119880119894 has finished the protocol with aserver 1198781 and is running the protocol with the other server 1198782Now we will show how the server 1198781 obtains the session keybetween 119880119894 and 1198782 step by step

(i) Step 1 1198781 finished the protocol with 119880119894 successfullyThus the server has knowledge of 119875119878119870

(ii) Step 2 During the protocol process between 119880119894 and1198782 1198781 firstly intercepts 119861119894 11986311989411987211198722 119860119868119863119894 119879119894 sentby 119880119894 to 1198782 From these messages 1198781 obtains 1198731 bycalculating 119860 119894 = 119863119894 oplus 119875119878119870 oplus ℎ(119875119878119870) 119877119875119882119894 = 119861119894 oplusℎ(119860 119894) and1198731 = 119877119875119882119894 oplus1198721 oplus ℎ(119875119878119870)

(iii) Step 3 After that 1198781 intercepts the messages11987811986811986311989511987231198724 which are sent from 1198782 to 119880119894 Thenthe server 1198781 obtains 1198732 by calculating 1198732 = 1198723oplusℎ(119860119868119863119894 1198731) oplus ℎ(119875119878119870) In this case the server 1198781acquired1198731 and1198732 generated in this session

(iv) Step 4 With the intercepted 119860119868119863119894 and 119878119868119863119895 1198781 canobtain the session key 119878119870119894119895 by calculating 119878119870119894119895 =ℎ(119860119868119863119894 119878119868119863119895 1198731 1198732) successfully which shouldbe kept secret from him

222 Userrsquos Anonymity Userrsquos anonymity means that userrsquos119868119863119894 and other urgent information indicating userrsquos identitydirectly should be protected carefully InWang et alrsquos schemean honest-but-curious server 119878119895 can compute 1198731 by 1198731 =119877119875119882119894 oplus 1198721 oplus ℎ(119875119878119870) At the same time 119878119895 receives 119860119868119863119894from 119880119894 119878119895 can obtain 119880119894rsquos identity 119868119863119894 by computing 119868119863119894 =119860119868119863119894 oplus ℎ(1198731) As a consequence the server can obtain 119868119863119894of the user 119880119894 This does not guarantee the anonymity of theuserrsquos identity

223 User Impersonation Attack The honest-but-curiousserver 119878119895 can collect 119861119894 and 119863119894 which are sent by 119880119894 and thuscan calculate119877119875119882119894 using119875119878119870 After that 119878119895 canpretend to be119880119894 and apply authentication from other servers Specifically119878119895 randomly choose a number 1198731 and calculates 119860119868119863119894 =ℎ(1198731) oplus 1198681198631198941198721 = 119877119875119882119894 oplus1198731 oplusℎ(119875119878119870) and1198722 = ℎ(119860119868119863119894 1198731 119877119875119882119894 119878119868119863119895 119879119894) Then 119878119895 sends 119861119894 11986311989411987211198722119860119868119863119894 119879119894 to other servers through a public channel In thisway 119878119895 can disguise as 119880119894

224 Wrong Revocation and Reregistration In this phaseusers are allowed to revoke or reregister when he confronts

the situation about losing the smart card or his account InWang et alrsquos schemewhen a userwants to revoke his accounthe has to pass the authentication After that 119877119862 changes 119873119894to 0 indicating that 119868119863119894 is not available any more In thereregistration phase 119877119862 also changes119873119894 to119873119894 + 1 However119877119862 is not involved in login phase and authentication phaseAs a result there is no access for 119877119862 to check whether theuserrsquos account is revoked or not Thus the user can accessthe legal servers only using his former password and hisbiometrics even he already has been revoked

23 Reasons for the Weakness In Wang et alrsquos protocoltwo important temporary secret values 1198731 and 1198732 areprotected by 119875119878119870 Unfortunately all servers keep the sameprivate key 119875119878119870 As a result an honest-but-curious server119878119895 with 119875119878119870 can obtain all session keys which shouldbe kept secret from him This attack usually exists in themultiserver environment In the most cases a legitimateserver after registration is assumed to be completely trust-worthy without taking into account the possibility that aparticular server can act as an honest-but-curious adver-sary

To resist this attack it is bound to distribute differentsecret keys to different servers which can be implementedby involving the registration center in the authenticationprocess Unfortunately in most of this kind of protocolauthentication process is excused between the user and theserver independent of the registration center Therefore todesign a secure three-factor authentication protocol againstthe passive attack from an honest-but-curious server the reg-istration center should be introduced into the authenticationprocess to protect the important temporary secret values 1198731and1198732

3 The New Protocol

In this section we first discuss the threat model used inour protocol We then give the list of notations used in ourproposed scheme Finally we describe the different phasesrelate to our scheme

31 Threat Model In this subsection we introduce a threatmodel following the definition of [36ndash39]

(i) The adversary A is able to control the open commu-nication channel completely that is he can interceptmodify delete block and resend the messages overthe open channel

(ii) The adversaryA can list all pairs of 119868119863119894 from the spaceof identities and 119875119882119894 from the space of passwords ina polynomial time

(iii) The adversary A can either intercept the password ofthe user via themalicious device or extract the param-eters from the smart card but both methods cannotbe used together An honest-but-curious server doesnot have this ability

(iv) WhenA acts as an honest-but-curious server he canjust listen the messages via the open channel


Table 2 Notations in the new protocol

119880119894 119878119895 119894th user and 119895th server119877119862 the registration centre119868119863119894 119860119868119863119894 119878119868119863119895 119880119894 rsquos identity dynamic identity and 119878119895rsquos identity119878119862119894 119875119882119894 119861119868119874119894 119880119894rsquos smart card password and biometrics119877119894 119875119894 valid biometric characteristic extracted from 119861119868119874119894119875119878119870 master secret key between server and registration centre119883 master secret key between user and registration centreℎ( ) oplus || hash function XOR operation and concatenating operation119909119894 pre-shared key between 119880119894 and registration centre119910119895 pre-shared key between 119878119895 and registration centre

Figure 1 Registration phase of server

32The Proposed Protocol AsWang et alrsquos protocol the newprotocol also involves five phases Table 2 lists the notationsused in the new protocol

321 Registration Phase

(i) Server registration phaseDuring server registration 119878119895 communicates with 119877119862to authenticate his validity and become a legislativeserver after receiving the preshared key sent from119877119862The whole process of the server registration phase isshown in Figure 1

(a) 119878119895 sends a request message to 119877119862(b) 119877119862 authorizes 119878119895 and adds a novel entry lt

119878119868119863119895 119910119895 gt to the database where 119910119895 is a ran-dom number Then ℎ(119875119878119870) 119910119895 is sent to 119878119895 byapplying IKEv2 securely

(c) 119878119895 adopts119875119878119870 119910119895 to protect the urgentmessagesand generates the session key 119878119870119894119895

(ii) User registration phaseA user sends his personal information to 119877119862 and getshis own smart card by executing the process listed inFigure 2

(a) 119880119894 inputs 119861119868119874119894 at the sensor and can obtain119877119894 119875119894 using 119866119890119899(119861119868119874119894) 997888rarr (119877119894 119875119894) Then 119880119894selects 119868119863119894 and 119875119882119894 and calculates 119877119875119882119894 =ℎ(119875119882119894 119877119894) 119880119894 finally sends 119868119863119894119877119875119882119894 to 119877119862securely

(b) 119877119862 generates a novel entry lt 119868119863119894 119909119894 gt to thedatabase where 119909119894 is a random number that

records the validity of 119880119894 If 119880119894 has revokedits account or the account is not availableat present 119877119862 generates a negative randomnumber 119909119894 otherwise 119909119894 is a positive randomnumber At the same time 119909119894 is a preshared keyAfter that 119877119862 computes 119860 119894 = ℎ(119868119863119894 119883 119879119903) 119861119894 = 119877119875119882119894 oplus ℎ(119860 119894) 119862119894 = 119861119894 oplus ℎ(119875119878119870)119863119894 = 119875119878119870 oplus 119860 119894 oplus ℎ(119875119878119870) 119881119894 = ℎ(119868119863119894 119877119875119882119894)119864119894 = 119877119875119882119894 oplus 119909119894 and 119865119894 = 119877119875119882119894 oplus ℎ(119883) where119879119903 is the registration time and 119883 is the maskersecret key between the user and the registrationcenter

(c) 119877119862 puts 119861119894 119862119894 119863119894 119881119894 119864119894 119865119894 into 119878119862119894 After that119877119862 issues it to 119880119894 securely

(d) With 119878119862119894 119880119894 keeps 119875119894 into 119878119862119894 and initials theauthentication

322 Login Phase A user 119880119894 tries to login to a server 119878119895 byexecuting the steps shown in Figure 3

(i) 119880119894 inputs 119868119863119894119875119882119894 and 119861119868119874lowast119894 then his smart card can

recover 119877lowast119894 using 119877119890119901(119861119868119874lowast119894 119875119894) 997888rarr 119877lowast119894

(ii) 119878119862119894 computes 119877119875119882lowast119894 = ℎ(119875119882119894 119877lowast119894 ) and then checks

whether ℎ(119868119863119894 119877119875119882lowast119894 ) = 119881119894 or not If it is true 119878119862119894

calculates ℎ(119875119878119870) = 119861119894 oplus 119862119894 119909119894 = 119877119875119882119894 oplus 119864119894 andℎ(119883) = 119877119875119882119894 oplus 119865119894 Otherwise 119880119894 does not pass theidentity authentication

(iii) 119878119862119894 generates a number1198731 randomly for each sessionand calculatesℎ(119860 119894 ) = 119877119875119882119894oplus119861119894119860119868119863119894 = 119868119863119894oplusℎ(119883)oplusℎ(119860 119894) 1198721 = 119877119875119882119894 oplus 1198731 oplus ℎ(119875119878119870) oplus 119909119894 and 1198722 =ℎ(119860119868119863119894 119877119875119882119894 119878119868119863119895 119879119894) where 119879119894 is a timestamp

(iv) 119878119862119894 sends 11986011986811986311989411987211198722 119861119894 119863119894 119879119894 to 119878119895

323 Authentication Phase This phase offers the details ofmutually authentication which are indicated in Figure 3

(i) 119878119895 receives the information from 119880119894 and verifieswhether 119879119894 minus 119879

1015840119895 le Δ119879 holds or not If it holds 119878119895

calculates 119860 119894 = 119875119878119870 oplus 119863119894 oplus ℎ(119875119878119870) and 119877119875119882119894 =119861119894 oplus ℎ(119860 119894) Otherwise 119878119895 will reject the login requestThen 119878119895 checks whether 1198722 = ℎ(119860119868119863119894 119877119875119882119894 119878119868119863119895 119879119894) If it fails the protocol would be stopped


Figure 2 Registration phase of user

Figure 3 Login and authentication phase


Otherwise the server computes1198601198681198631015840119894 = 119860119868119863119894oplusℎ(119860 119894)1198723 = 1198721 oplus 119877119875119882119894 oplus 119910119894 and1198724 = ℎ(1198601198681198631015840119894 119878119868119863119895

119910119895 119879119895) and sendsmessages 1198601198681198631015840119894 11987811986811986311989511987231198724 119879119895to 119877119862

(ii) 119877119862 receives the messages and verifies whether 119879119895 minus119879119903119888 le Δ119879 holds or not If it holds 119877119862 checks whether1198724 = ℎ(1198601198681198631015840119894 119878119868119863119895 119910119895 119879119895) If it fails therequest would be stopped Otherwise 119877119862 computes119868119863119894 = 1198601198681198631015840119894 oplus ℎ(119883) Then 119877119862 goes through thedatabase lt 119868119863119894 119909119894 gt lt 119878119868119863119895 119910119895 gt stored in 119877119862 toget 119909119894 and 119910119894 If 119909119894 is a negative number the requestwould be stopped After that 119877119862 computes 1198731 =1198723 oplus ℎ(119875119878119870) oplus 119909119894 oplus 119910119895 1198725 = 1198731 oplus 119910119895 oplus 119875119878119870 and1198726 = ℎ(1198725)oplus119879119888 where119879119888 is an additional timestampFinally 119877119862 returns 11987251198726 119879119888 to 119878119895

(iii) Once 119878119895 receives the message from 119877119862 it verifieswhether 119879119888 minus 119879

lowast119895 le Δ119879 holds or not If it holds 119878119895

checks whether 1198726 = ℎ(1198725) oplus 119879119888 If it fails therequest will be stopped Otherwise 119878119895 calculates1198731 =1198725oplus119910119895oplus119875119878119870 After selecting a number1198732 randomly119878119895 computes 119878119870119894119895 = ℎ(119860119868119863119894 119878119868119863119895 1198731 1198732)1198727 =1198732 oplus ℎ(119860119868119863119894 1198731) oplus ℎ(119875119878119870) and 1198728 = ℎ(119878119868119863119895 1198732 119860119868119863119894)Then the server sends 11987811986811986311989511987271198728 to119880119894

(iv) 119880119894 retrieves1198732 and calculates 119878119870119894119895 by computing1198732 =1198727 oplus ℎ(119860119868119863119894 1198731) oplus ℎ(119875119878119870) and 119878119870119894119895 = ℎ(119860119868119863119894 119878119868119863119895 1198731 1198732) After that 119880119894 checks whether1198728 =ℎ(119878119868119863119895 1198732 119860119868119863119894) holds or not If it is valid theuser calculates 1198729 = ℎ(119878119870119894119895 1198731 1198732) and sends1198729 to 119878119895

(v) Finally 119878119895 receives1198729 and checks whether the equa-tion ℎ(119878119870119894119895 1198731 1198732) = 1198729 holds or not If soa secret session key is generated successfully and canbe used in the following communication Otherwise119878119895 would reject the authentication

324 Password Change Phase Using this phase 119880119894rsquos pass-word can be changed without any exchanging message fromboth 119877119862 and 119878119895

(i) 119880119894 inputs 119868119863119894 the old password 119875119882119894 and imprints119861119868119874119894 as well and computes 119877119875119882119894 = ℎ(119875119882119894 119877119894)which is used to pass the authentication

(ii) 119880119894 inputs a new password 119875119882119899119890119908119894 After that 119880119894computes 119877119875119882119899119890119908119894 = ℎ(119875119882119899119890119908119894 119877119894) 119861

119899119890119908119894 = 119861119894 oplus

119877119875119882119894 oplus 119877119875119882119899119890119908119894 119862119899119890119908119894 = 119861119899119890119908119894 oplus ℎ(119875119878119870) 119881119899119890119908119894 =

ℎ(119868119863119894 119877119875119882119899119890119908119894 ) 119864119899119890119908119894 = 119864119894 oplus 119877P119882119894 oplus 119877119875119882

119899119890119908119894 and

119865119899119890119908119894 = 119865119894 oplus 119877119875119882119894 oplus 119877119875119882119899119890119908119894

(iii) 119878119862119894 replaces 119861119894 119862119894 119864119894 119865119894 and119881119894 with 119861119899119890119908119894 119862119899119890119908119894 119864119899119890119908119894

119865119899119890119908119894 and 119881119899119890119908119894

325 User Revocation or Reregistration Phase This phase isused for revocation and reregistration when 119880119894rsquos smart card119878119862119894 is stolen or lost

(i) In revocation phase 119880119894 sends revocation requeststo 119877119862 119877119862 chooses a negative random number and

modifies the value of 119909119894 corresponding to 119880119894 as thatrandom number

(ii) In reregistration phase 119880119894 sends reregistrationrequests to 119877119862 119877119862 selects a positive random numberand sets it as 119909119894 of 119880119894

4 Security Analysis of the New Protocol

41 Verifying the New Protocol with BAN Logic Burrows-Abadi-Needham (BAN) logic is introduced by Burrows etal [40] and widely used to analyze the security protocolIn this subsection BAN logic is used to prove that mutualauthentication can be obtained after running the new proto-col successfully The notations and postulates in BAN logicare listed in Table 3

We first define the test goals which the new protocolshould achieve using BAN logic

(g1) 119878119895| equiv 119880119894| equiv 119880119894119878119870119894119895larr997888rarr 119878119895

(g2) 119878119895| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(g4) 119880119894| equiv 119880119894119878119870119894119895larr997888rarr 119878119895

Secondly we give the idealized form of the new protocolas follows

(m1) 119880119894 997888rarr 119878119895 (119868119863119894 119877119875119882119894 1198801198941198731larr997888rarr 119878119895)

119880119894

119909119894larrrarr119877119862

(m2) 119878119895 997888rarr 119877119862 (1198601198681198631015840119894 119878119868119863119895 119877119875119882119894 1198801198941198731larr997888rarr

119878119895)119878119895

119910119895

larrrarr119877119862

(m3) 119877119862 997888rarr 119878119895 (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895


(m4) 119878119895 997888rarr 119880119894 (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895

(m5) 119880119894 997888rarr 119878119895 (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895

Next we list the following initiative premises of the newprotocol

(p1) 119880119894| equiv 1198731(p2) 119878119895| equiv 1198732

(p3)119880119894| equiv 119880119894119909119894larrrarr 119877119862

(p4) 119877119862| equiv 119880119894119909119894larrrarr 119877119862

(p5) 119878119895| equiv 119878119895119910119895larrrarr 119877119862

(p6) 119877119862| equiv 119878119895119910119895larrrarr 119877119862

(p7) 119878119895| equiv 119877119862 997904rArr 1198801198941198731larr997888rarr 119878119895



Table 3 BAN logic notations and postulates

Notations and postulates Description119875| equiv 119883 119875 believes the statement119883 is true119875 ⊲ 119883 119875 sees119883119875| sim 119883 119875 once said that119883 or has sent a message containing119883119875 997904rArr 119883 119875 has control over 119883119883 119883 is fresh

119875119870larrrarr 119876

119875 and 119876 can communicate using the shared key119870only 119875 119876 or a trusted third party know119870

(119883)119896 The formula 119883 is combined with the formula 119870

119875| equiv 119875119870larrrarr 119876119875 ⊲ 119883119870

119875| equiv 119876| sim 119883Rule(a) The message-meaning rule

119875| equiv 119876 997904rArr 119883 119875| equiv 119876| equiv 119883

119875| equiv 119883Rule(b) The jurisdiction rule

119875| equiv (119883) 119875| equiv 119876| sim 119883119875| equiv 119876| equiv 119883

Rule(c) The nonce-verification rule

119875| equiv (119883)119875| equiv (119883 119884)

Rule(d) The freshness-conjuncatenation rule

119875| equiv 119883 119875| equiv 119884

119875| equiv (119883 119884)119875| equiv 119876| equiv (119883 119884)119875| equiv 119876| equiv 119883

Rule(e) The belief rule


(p10)119880119894| equiv 1198801198941198731larr997888rarr 119878119895

(p11) 119878119895| equiv 1198801198941198732larr997888rarr 119878119895

(p12) 119878119895| equiv 119879119888(p13) 119877119862| equiv 119879119895

Finally we analyze the new protocol using the BAN logicrules and the assumptions

From message 1198983 we obtain

(S1) 119878119895 ⊲ (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895


From (p5) (S1) and Rule(a) we get

(S2) 119878119895| equiv 119877119862| sim (119879119888 1198801198941198731larr997888rarr 119878119895)

From (p12) and Rule(d) we get

(S3) 119878119895| equiv (119879119888 1198801198941198731larr997888rarr 119878119895)

From (S2) (S3) and Rule(c) we get

(S4) 119878119895| equiv 119877119862| equiv (119879119888 1198801198941198731larr997888rarr 119878119895)

From (S4) and Rule(e) we get

(S5) 119878119895| equiv 119877119862| equiv 1198801198941198731larr997888rarr 119878119895

From (p7) (S5) and Rule(b) we get

(S6) 119878119895| equiv 1198801198941198731larr997888rarr 119878119895

From message (m4) we have

(S7) 119880119894 ⊲ (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895


(S8) 119880119894| equiv 119878119895| sim (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)


(S9) 119880119894| equiv (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)


(S10)119880119894| equiv 119878119895| equiv (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)


(S11) 119880119894| equiv 119878119895| equiv 119880119894119878119870119894119895larr997888rarr 119878119895(g3)

From (P8) (S11) and Rule(b) we get

(S12) 119880119894| equiv 119880119894119878119870119894119895larr997888rarr 119878119895(g4)


(S13) 119878119895 ⊲ (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895

From (p11) (S6) (S13) and Rule(a) we get




(S15) 119878119895| equiv (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)


(S16) 119878119895| equiv 119880119894| equiv (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)



Finally From (P9) (S17) and Rule(b) we get


According to (g1) (g2) (g3) and (g4) we conclude thatthe new protocol provides the mutual authentication and ashared secret key between the user and the server after asuccessful running of the protocol

42 Formal Security Analysis Recent research has shown thatuser-chosen passwords follow the Zipf rsquos law [41] a vastlydifferent distribution from the uniform distribution In thissubsection we provide a formal security analysis of the newprotocol with the Zipf rsquos law

Theorem 1 Let 119897 be the length of the biometric key 119861119868119874119894 let|119867119886119904ℎ| be the range space of hash function ℎ(sdot) and both119862 and119904 are the Zipf rsquos parameters [41] Let 119902119904119890119899119889 be Send queries and119902ℎ be Hash oracle queries For any adversaryA in polynomialtime 119905 against the new protocol 119875 in the random oracle theadvantage ofA breaking the 119878119870 minus 119904119890119888119906119903119894119905119910 of 119875 is

119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(1)

Proof Let119864119894 be the event thatA guesses bit 119887 for119866119894 in the testsession successfully According to the new protocol A doesnot need to guess or compute the userrsquos identity since there isonly one user The games 1198660 to 1198663 are listed as follows

Game 1198660 This game corresponds to the real attack in therandom oracle model Hence

119860119889V119886119896119890119901 = 10038161003816100381610038162pr [1198640] minus 11003816100381610038161003816 (2)

Game 1198661 We simulateArsquos eavesdropping attack by querying119864119909119890119888119906119905119890 oracles Then A sends the 119879119890119904119905 query and decideswhether the outcome of 119879119890119904119905 query matches with 119878119870 whichcan be calculated as 119878119870119894119895 = ℎ(119860119868119863119894 119878119868119863119895 1198731 1198732)A cannot get the message about 119875119878119870 ℎ(119883) and119860119868119863119894 due tothe security of 119878119895 rsquos119875119878119870 and119880119894rsquos ℎ(119883)ThusA cannot increasethe chance of winning game 1198661 Hence we have

pr [1198640] = pr [1198641] (3)

Game 1198662 We simulate Arsquos active attack by querying 119878119890119899119889and 119867119886119904ℎ oracles A will manage to find the collisions of119867119886119904ℎ in the way of make queries but it is impossible for

him to know the message of both 11986011986811986311989411987211198722 119861119894 119863119894 119879119894and 11987811986811986311989511987271198728 without the knowledge of 119879119894 1198731 and1198732 Hence there is no collision when querying 119878119890119899119889 oraclesUsing the birthday paradox we obtain

1003816100381610038161003816pr [1198642] minus pr [1198641]1003816100381610038161003816 =

1199022ℎ2 |119867119886119904ℎ|

(4)

Game 1198663 This game simulates the smart card lost attack byquerying 119862119900119903119903119906119901119905119878119862 oracle If A wants to obtain the secretinformation of users he tries online dictionary attack due tothe low entropy of password or other computing modes toget 119875119894 which is used as the biometrics key with the messagefrom 119878119862119894 Unfortunately A has to know 119877119894 isin 0 1119897 withthe probability approximated as 12119897 because we use fuzzyextractor function to extract at most 119897 nearly random bits of119877119894 Even if using the Zipf rsquos law on passwords we still have

1003816100381610038161003816pr [1198643] minus pr [1198642]1003816100381610038161003816 le

119862 sdot 1199021199041199041198901198991198892119897

(5)

Moreover A cannot get any useful messages about thevalue of 119888 because of the independence and randomness ofeach session key Thus we have

pr [1198643] =1

2 (6)

Combined the above steps we can get the result asfollows

119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(7)

43 Informal Security Analysis In this subsection informalsecurity analysis is conducted to show that the new protocolcan withstand various attacks

Replay Attack IfA replays a former piece of userrsquos messagesto server he will not success since a timestamp is used in eachsession to guarantee the freshness of time If the informationin a previous session is replayed the interval between 119879119895and 119879119894 will not be in an endurable range Therefore in theauthentication phaseA cannot pass the authentication in thefirst step Hence the new protocol can resist the replay attack

Modification Attack It is assumed that an adversary Aintercepts the information transmitted on the public channeland intends tomodify the information to pass the authentica-tion Unfortunately the integrity of the transmitted messagesin the new scheme is protected by using one-way hashfunction Moreover A cannot retrieve 1198731 and 1198732 from theintercepted messages thus he cannot generate a legitimateauthentication messageTherefore the new protocol can resistthe modification attack

Server Session Key Attack In our proposed scheme on onehand session key 119878119870119894119895 contains 1198731 1198732 119860119868119863119894 119878119868119863119895 1198731and 1198732 which are different in every session and thus cannot


be retrieved directly by a malicious adversary A On theother hand our scheme provides mutual authentication inthe authentication phase and makes an improvement ieboth of the user and the server knowwhether 119878119870119894119895 has alreadybeen generated by each other If the server 1198781 wants to obtainthe session key 119878119870119894119895 by calculation he has to obtain 1199102 since1198731 = 1198725 oplus 1199102 oplus 119875119878119870 Unfortunately the specific value of1199102 is known only to 1198782 and 119877119862 After receiving the messagestransmitted from the user the server calculates1198729 = ℎ(119878119870119894119895 1198731 1198732) which means that the authentication is passedand valid session key has already be generated by each otherTherefore our scheme holds the security of session Key

User Impersonation Attack If A is going to impersonate avalid userA has to retrieve 119861119868119874119894 119875119882119894 and 119868119863119894 of 119880119894 to passthe authentication in calculating ℎ(1198681198631015840119894 1198771198751198821015840119894 ) = 119881119894 inlogin phase It is impossible for him to make it as a result ofour perfect user anonymity and the uniqueness of biometricmessage If the adversary wants to get access to 119878119895 as a validuser with the messages 119860119868119863119894 119879119894 119861119894 119863119894 1198721 and 1198722 hecannot pass the check1198722 = ℎ(119860119868119863119894 119877119875119882119894 119878119868119863119895 119879119894) andform a session key with the server he communicates with

Forgery Attack The forgery attack refers to the existence of alegitimate but malicious user A who attempts to falsify theidentity information of another legitimate user to login andauthenticate In the communication between the legal server119878119895 and the user 119880119894 the real identity 119868119863119894 of 119880119894 is protected by119860119868119863119894 ie119860119868119863119894 = 119868119863119894oplusℎ(119883)oplusℎ(119860 119894) In addition the identity119860 119894 is different for each user Therefore the malicious userAcannot obtain the real identity 119868119863119894 of another legitimate userTherefore our scheme can prevent forgery attack

Masquerade Attack Under this attack A can authenticatewith the server 119878119895 as a legal user and attempt to acquirethe session key 119878119870 using the information transmitted atthe authentication phase In order to resist this attack allmessages transmitted in the public channel contain thedestination or source information such as 1198722 = ℎ(119860119868119863119894 119877119875119882119894 119878119868119863119895 119879119894) and1198724 = ℎ(119860119868119863

1015840119894 119878119868119863119895 119910119895 119879119895) with

119860119868119863 or 119878119868119863 So that 119880119894 and 119878119895 verify whether one wants to beauthenticated by the other Therefore our protocol can resistthe masquerade attack

Smart CardAttack If the userrsquos smart card is stolen or lost andall the messages stored have been divulged by the adversarythere still no way for him to pass the authentication At firstafter acquiring 119861119894119863119894119881119894 119864119894 and 119865119894A still cannot get 119868119863119894 and119877119875119882119894 SoA is not capable of forging a valid user 119880119894 AlsoAcannot get any useful messages such as 119877119875119882119894 119860 119894 and 119875119878119870using the messages stored in a smart cardTherefore the newprotocol is resistant to the stolen or lost smart card attack

Offline Guessing Attack A may get 119861119894 119862119894 119863119894 119864119894 119865119894 and 119881119894by side channel attack such as SPA and DPA However hecannot change the userrsquos password without 119861119868119874119894 ℎ(119875119878119870)119883or 119909119894 during the offline environment In addition one-wayhash function is adopted to protect userrsquos password Since itis impossible for different user to own the same biometric

template offline guessing attack can be avoided in the newprotocol

DoS Attack DoS attack can seriously affect the efficiency ofthe server causing the server to lose availability However allmessages transmitted to the server and 119877119862 would be timestamped With the help of the timestamp the server and119877119862 would verify the freshness and legitimacy of the messageby checking 1198722 1198724 and 1198726 In addition login operationsrequire a fuzzy extractor to meet the biometric requirementsTherefore our scheme can resist DoS attack

Server Spoofing Attack IfA attempts to imitate a valid serverhe is supposed to have the preshared key a long-term secretkey shared between 119877119862 and 119878119895 In the new protocol ℎ(119875119878119870)and 119910119895 function as the preshared key which are transmittedthrough a secure channel and is unavailable to anyone otherthan 119877119862 and servers Without 119910119895 it is impossible for theadversary to calculate 1198731 in the authentication phase since1198731 = 1198725 oplus 119910119895 And also without ℎ(119875119878119870) and 1198731 theadversary cannot get 1198732 since 1198732 = 1198727 oplus ℎ(119860119868119863119894 1198731) ℎ(119875119878119870) Thus the adversary cannot imitate a valid server

User Anonymity The users real identity is protected byreplacing 119868119863119894 with 119860119868119863119894 where 119860119868119863119894 = 119868119863119894 oplus ℎ(119883) oplus ℎ(119860 119894)Also due to the hash function and the secret key either anoutside adversary A or an honest-but-curious server cannotfigure out 119868119863119894 through119860119868119863119894Thus the weak anonymity of theuser is guaranteed

Regrettably the anonymity of the new scheme is notperfect For example assuming that the server cooperateswith a malicious user the malicious user provides ℎ(119883) bycalculating ℎ(119883) = 119877119875119882119894 oplus 119865119894 and the server calculates 119860 119894through119860 119894 = 119875119878119870oplus119863119894oplusℎ(119875119878119870) then the server can calculate119868119863119894 by calculating 119868119863119894 = 119860119868119863119894 oplus ℎ(119883) oplus ℎ(119860 119894) Moreoveran adversary A with 119880119894rsquos lost smart card can also compute119880119894rsquos identity Therefore our scheme just provides the weakanonymity

5 Efficiency Analysis

Efficiency analysis is conducted in this section to evaluatethe new protocol The comparisons including the resistancefunctionality and performance are summarized In Table 5let (S1) denote Chuang et alrsquos protocol [29] (S2) denoteWanget alrsquos protocol [33] (S3) denote Yang et alrsquos protocol [24](S4) denote Reddy et alrsquos protocol [34] (S5) denote HE-WANGrsquos protocol [42] and (S6) denote Odelu et alrsquos protocol[43] The following notations are defined in Table 4

Security comparison is offered by Table 5 In Table 5 ldquordquodenotes that the security has not been analyzed until nowFrom Table 5 it is easy to see that protocols of (S1) (S2)(S3) and (S4) which do not include the registration centerinto the authentication phase can not resist the passive attackfrom an honest-but-curious server Although (S5) is resistantto above attack it can not resist the user impersonate attackand smart card attack The new protocol together with (S6)achieves all resistance requirements since they implementthe authentication with the help of the authentication centerThus they are more secure than the first five protocols


Table 4 Notations in security comparison table

1198771 resistance to replay attack1198772 resistance to modification attack1198773 resistance to Server session key attack1198774 resistance to user impersonate attack1198775 resistance to forgery attack1198776 resistance to masquerade attack1198777 resistance to smart card attack1198778 resistance to off-line guessing attack1198779 resistance to Dos attack11987710 resistance to server spoofing attack

Table 5 The security comparison

S1 S2 S3 S4 S5 S6 our scheme1198771 No Yes Yes Yes No Yes Yes1198772 Yes Yes Yes Yes Yes Yes1198773 No No No Yes Yes1198774 No No Yes Yes No Yes Yes1198775 Yes Yes Yes Yes Yes1198776 No No Yes Yes Yes1198777 No No Yes Yes Yes Yes Yes1198778 Yes Yes Yes Yes Yes Yes Yes1198779 No Yes Yes Yes Yes Yes Yes11987710 No Yes Yes Yes Yes Yes

Table 6 Notations in functionality comparison table

1198651 anonymity1198652 mutual authentication1198653 session key agreement1198654 perfect forward secrecy1198655 user revocationre-registration

Functionalities comparison is listed in Table 7 The nota-tions that appear in Table 7 are lists in Table 6 It can beseen that (S1) (S2) (S3) and (S4) do not provide userrevocationreregistration functionality and (S5) does notoffer anonymity property Only our new protocol and (S6)provide all five basic functionality requirements

Nowwe conduct the efficiency analysis including compu-tation overhead and communication overhead To comparewith other related works only login and authentication phaseare considered

Tables 9 and 10 list the computation cost comparisonsfrom different aspects The notations that appear in Table 9are listed in Table 8 For the computation efficiency weonly calculate the number of hash functions while ignoreExclusive OR operation and concatenating operation sincethey require little computational cost Let 119879120596 denote thecomputation time for symmetric-key encryptiondecryptionwhich is known as about 0005ms119879ℎ denote the computationtime for one-way hash function which is known as about

0002ms and 119879119898 denote the computation time for ellipticcurve point multiplication which is known as about 2226ms

Table 9 compares the computation time according toprotocolrsquos different phase From Table 9 we can find that thenew protocols together with (S1) (S2) (S3) and (S4) spendalmost the same time since only hash function contributes tocomputation cost On the other hand (S5) and (S6) take moretime for computation due to the expensive elliptic curve pointmultiplication operations

Table 10 compares the computation time according todifferent participants The userrsquos executing time in the newprotocol only needs 0014ms which proves that the newprotocol provides the most efficient usersquos computation Interms of serverrsquos executing time the new protocol spendsalmost the same time as that of the most efficient protocolsie (S1) (S2) and (S3) To resist the passive attack from thehonest-but-curious servers (S5) (S6) and the new protocolintroduce the registration center into the authenticationphase which would bring extra burden for the trusty regis-tration center As shown in Table 10 119877119862 needs extra 447msfor (S5) and extra 2263ms for (S6) In the new protocol 119877119862is only used to transmit the secret information instead ofauthenticating user and server As a result the extra executingtime for 119877119862 in the new protocol is only 0008ms which ismuch less than that of (S5) and (S6) Therefore the newprotocol is the most efficient one among the second kind ofmultiserver authentication protocols In conclusion amongall of themultiserver protocols against the passive attack from


Table 7 The functionality comparison

S1 S2 S3 S4 S5 S6 our scheme1198651 Yes Yes Yes Yes No Yes Yes1198652 No Yes Yes Yes Yes Yes Yes1198653 Yes Yes Yes Yes Yes Yes Yes1198654 No Yes Yes Yes Yes Yes Yes1198655 No No Yes Yes Yes Yes Yes

Table 8 Notations in computation comparison table

1198621 computation overhead in the login phase1198622 execution overhead in the login phase1198623 computation overhead in the authentication phase1198624 execution overhead in the authentication phase1198625 total execution overhead

Table 9 Computation cost comparison in different phase

S1 S2 S3 S4 S5 S6 our scheme1198621 4119879ℎ 4119879ℎ 5119879ℎ 6119879ℎ+1119879119898 3119879ℎ+2119879119898 5119879ℎ+2119879119898+1119879120596 3119879ℎ1198622 0008ms 0008ms 001ms 2238ms 4458ms 4467ms 0006ms1198623 13119879ℎ 11119879ℎ 13119879ℎ 9119879ℎ+3119879119898 18119879ℎ+6119879119898 19119879ℎ+4119879119898+5119879120596 17119879ℎ1198624 0026ms 0022ms 0026ms 6696ms 13392ms 8967ms 0034ms1198625 0034ms 003ms 0036ms 8934ms 1785ms 13434ms 004ms

Table 10 Computation cost comparison in different participants

S1 S2 S3 S4 S5 S6 our scheme119880119904119890119903 119888119900119904119905 9119879ℎ 8119879ℎ 9119879ℎ 9119879ℎ+2119879119898 7119879ℎ+3119879119898 7119879ℎ+3119879119898+1119879120596 7119879ℎ119880119904119890119903 119905119894119898119890 0018ms 0016ms 0018ms 447ms 6692ms 6697ms 0014ms119878119890119903V119890119903 119888119900119904119905 8119879ℎ 7119879ℎ 9119879ℎ 6119879ℎ+2119879119898 5119879ℎ+3119879119898 6119879ℎ+2119879119898+2119879120596 9119879ℎ119878119890119903V119890119903 119905119894119898119890 0016ms 0014ms 0018ms 4464ms 6688ms 4474ms 0018ms119877119862 119888119900119904119905 9119879ℎ+2119879119898 11119879ℎ+1119879119898+3119879120596 4119879ℎ119877119862 119905119894119898119890 447ms 2263ms 0008ms119879119900119905119886119897 119888119900119904119905 17119879ℎ 15119879ℎ 18119879ℎ 15119879ℎ+4119879119898 21119879ℎ+8119879119898 24119879ℎ+6119879119898+6119879120596 20119879ℎ119879119900119905119886119897 119905119894119898119890 0034ms 003ms 0036ms 8934ms 1785ms 13434ms 004ms

an honest-but-curious attack the new protocol is the mostcomputational efficient one

Table 12 lists the new protocolrsquos communication costtogether with the other related protocols Suppose the ran-dom number 119909119894 is 160 bits the length of the user identityis 160 bits the length of the timestamp is 16 bits and theoutput length of one-way hash function is 160 bits if SHA-1 isadopted Table 11 shows the notations that appear in Table 12In the new protocol when 119880119894 logs in he has to transmit1198721119860119868119863119894 1198722 119879119894 119861119894 and 119863119894 thus the length of these messagesis (160lowast5+16)8 = 102 bytes In the authentication phase weintroduce the registration center so the communication costis a little more than (S1) (S3) and (S4) about 180 bytes orso Among all of the multiserver protocols against the passiveattack from an honest-but-curious attack the new protocolhas the high communication efficient

Combined with the security properties and the function-alities we conclude that the new protocol and (S6) achieveall basic security properties and satisfy all functionalitiesIn terms of efficiency (S6) spends much more computationtime bandwidth and storage space compared with the newprotocol In conclusion the new protocol is the most efficientmultiserver authentication protocol which satisfies all basicsecurity properties and functionalities

6 Conclusion

In this paper we found that a kind of multifactor multiserverauthentication protocols can not resist the passive attackfrom an honest-but-curious servers We took Wang et alrsquosprotocol as an example to exhibit how an honest-but-curiousserver step by step obtained a session key which should


Table 11 Notations in communication comparison table

1198621198741198721 communication cost in login phase1198621198741198722 communication cost in authentication and key agreement phase1198621198741198723 total communication cost

Table 12 Communication cost comparison table

S1 S2 S3 S4 S5 S6 our scheme1198621198741198721 80 Bytes 102 Bytes 102 Bytes 80 Bytes 64 Bytes 108 Bytes 102 Bytes1198621198741198722 80 Bytes 80 Bytes 60 Bytes 80 Bytes 376 Bytes 260 Bytes 180 Bytes1198621198741198723 160 Bytes 182 Bytes 162 Bytes 160 Bytes 440 Bytes 368 Bytes 282 Bytes

be kept secret from him Moreover we observed that therevocation and reregistration process in their protocol isincorrect To remedy these weaknesses this paper proposed anovel multiserver authentication protocol The new protocolsatisfies comprehensive demands of security and providesversatile and practical functionalities Compared with therelated protocols in computation cost and communicationcost the new protocol is the most efficient multiserverauthentication protocol which satisfies all basic securityproperties and functionalities Therefore the new protocolis secure and relatively efficient in the remote distributedauthentication networks We have noticed that this kind ofattack may also exist in other likewise environment such asthe multifactor multigateway authentication protocol in thewireless sensor networks As a future work we would applythe passive attack from an honest-but-curious gateway tothe multifactor multigateway authentication protocol in thewireless sensor network and try to design secure protocolsfor multigateway wireless sensor network

Data Availability

The paper does not use any data set

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work was supported by the National Natural Sci-ence Foundation of China (nos 61572027 61772194 andU1636208) special foundation for coconstruction project ofBeijing the Hunan Provincial Natural Science Foundationof China under Grant no 2018JJ3191 and the Guangxi KeyLaboratory of Trusted Software (no KX201707)

References

[1] X Yang X Huang and J K Liu ldquoEfficient handover authenti-cationwith user anonymity anduntraceability forMobile CloudComputingrdquo Future Generation Computer Systems vol 62 pp190ndash195 2016

[2] S A Chaudhry ldquoA secure biometric basedmulti-server authen-tication scheme for social multimedia networksrdquo MultimediaTools and Applications vol 75 no 20 pp 12705ndash12725 2016

[3] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems 2016

[4] D He N Kumar M K Khan and J-H Lee ldquoAnonymous two-factor authentication for consumer roaming service in globalmobility networksrdquo IEEE Transactions on Consumer Electronicsvol 59 no 4 pp 811ndash817 2013

[5] C Jin C Xu X Zhang and J Zhao ldquoA secure RFID mutualauthentication protocol for healthcare environments usingelliptic curve cryptographyrdquo Journal of Medical Systems vol 39no 3 pp 1ndash8 2015

[6] L Lamport ldquoPassword authentication with insecure communi-cationrdquo Communications of the ACM vol 24 no 11 pp 770ndash772 1981

[7] L Li I Lin andM Hwang ldquoA remote password authenticationscheme for multiserver architecture using neural networksrdquoIEEE Transactions on Neural Networks and Learning Systemsvol 12 no 6 pp 1498ndash1504 2001

[8] I C Lin M S Hwang and L H Li ldquoA new remote userauthentication scheme for multi-server architecturerdquo FutureGeneration Computer Systems vol 19 no 1 pp 13ndash22 2003

[9] X Cao and S Zhong ldquoBreaking a remote user authenticationscheme for multi-server architecturerdquo IEEE CommunicationsLetters vol 10 no 8 pp 580-581 2006

[10] W S Juang ldquoEfficient multi-server password authenticated keyagreement using smart cardsrdquo IEEE Transactions on ConsumerElectronics vol 50 no 1 pp 251ndash255 2004

[11] C-C Chang and J-S Lee ldquoAn efficient and secure multi-server password authentication scheme using smart cardsrdquo inProceedings of the Proceedings - 2004 International Conferenceon Cyberworlds CW 2004 pp 417ndash422 Japan November 2004

[12] J-L Tsai ldquoEfficient multi-server authentication scheme basedon one-way hash function without verification tablerdquo Comput-ers amp Security vol 27 no 3-4 pp 115ndash121 2008

[13] Y P Liao and S S Wang ldquoA secure dynamic ID based remoteuser authentication scheme for multi-server environmentrdquoComputer Standards amp Interfaces vol 31 no 1 pp 24ndash29 2009

[14] T Chen Y M Hwang S C Lee et al ldquoCryptanalysis of a SecureDynamic ID Based Remote User Authentication Scheme forMulti-Server Environmentrdquo Innovative Computing Informationand Control (ICICIC) pp 725ndash728 2009


[15] H Hsiang C and K Shih W ldquoImprovement of the securedynamic IDbased remote user authentication scheme formulti-server environmentrdquo Computer Standards amp Interfaces vol 31no 6 pp 1118ndash1123 2009

[16] C Lee T Lin and R Chang ldquoA secure dynamic ID basedremote user authentication scheme for multi-server environ-ment using smart cardsrdquo Expert Systems with Applications vol38 no 11 pp 13863ndash13870 2011

[17] D Wang D He P Wang and C-H Chu ldquoAnonymous Two-Factor Authentication in Distributed Systems Certain GoalsAre BeyondAttainmentrdquo IEEE Transactions on Dependable andSecure Computing vol 12 no 4 pp 428ndash442 2015

[18] X Li M H Ibrahim S Kumari A K Sangaiah V Guptaand K R Choo ldquoAnonymous mutual authentication and keyagreement scheme for wearable sensors in wireless body areanetworksrdquo Computer Networks vol 129 pp 429ndash443 2017

[19] X Li J Niu M Z A Bhuiyan F Wu M Karuppiah and SKumari ldquoA Robust ECC based Provable Secure AuthenticationProtocol with Privacy Protection for Industrial Internet ofThingsrdquo IEEE Transactions on Industrial Informatics vol 14 no8 pp 3599ndash3609 2018

[20] X Li J Peng J Niu FWu J Liao andK-K R Choo ldquoA Robustand Energy Efficient Authentication Protocol for IndustrialInternet of Thingsrdquo IEEE Internet of Things Journal vol 5 no3 pp 1606ndash1615 2018

[21] R Amin S K H Islam N Kumar and K-K R Choo ldquoAnuntraceable and anonymous password authentication protocolfor heterogeneouswireless sensor networksrdquo Journal of Networkand Computer Applications vol 104 pp 133ndash144 2018

[22] D He and S Wu ldquoSecurity flaws in a smart card basedauthentication scheme for multi-server environmentrdquoWirelessPersonal Communications vol 70 no 1 pp 323ndash329 2013

[23] R S Pippal C D Jaidhar and S Tapaswi ldquoRobust smart cardauthentication scheme for multi-server architecturerdquo WirelessPersonal Communications vol 72 no 1 pp 729ndash745 2013

[24] L Yang and Z Zheng ldquoCryptanalysis and improvement of abiometrics-based authentication and key agreement scheme formulti-server environmentsrdquo PLoS ONE vol 13 no 3 2018

[25] C-T Li and M-S Hwang ldquoAn efficient biometrics-basedremote user authentication scheme using smart cardsrdquo Journalof Network and Computer Applications vol 33 no 1 pp 1ndash52010

[26] X Li J W Niu J Ma W D Wang and C L Liu ldquoCrypt-analysis and improvement of a biometrics-based remote userauthentication scheme using smart cardsrdquo Journal of Networkand Computer Applications vol 34 no 1 pp 73ndash79 2011

[27] E-J Yoon and K-Y Yoo ldquoRobust biometrics-based multi-server authentication with key agreement scheme for smartcards on elliptic curve cryptosystemrdquoThe Journal of Supercom-puting vol 63 no 1 pp 235ndash255 2013

[28] H KimW Jeon K Lee Y Lee andDWon ldquoCryptanalysis andimprovement of a biometrics-based multi-server authentica-tionwith key agreement schemerdquo inProceedings of InternationalConference on Computational Science and Its Applications pp391ndash406 2012

[29] M-C Chuang and M C Chen ldquoAn anonymous multi-serverauthenticated key agreement scheme based on trust computingusing smart cards and biometricsrdquo Expert Systems with Applica-tions vol 41 no 4 pp 1411ndash1418 2014

[30] D Mishra A Das and S Mukhopadhyay ldquoA secure useranonymity-preserving biometric-based multi-server authenti-cated key agreement scheme using smart cardsrdquo Expert Systemswith Applications vol 41 no 18 pp 8129ndash8143 2014

[31] Y Lu L Li X Yang and Y Yang ldquoRobust biometrics basedauthentication and key agreement scheme for multi-serverenvironments using smart cardsrdquo PLoS ONE vol 10 no 5Article ID 0126323 2015

[32] A G Reddy A K Das V Odelu and K-Y Yoo ldquoAn enhancedbiometric based authentication with key-agreement protocolfor multi-server architecture based on elliptic curve cryptogra-phyrdquo PLoS ONE vol 11 no 5 2016

[33] CWang X Zhang and Z Zheng ldquoCryptanalysis and improve-ment of a biometric-based multi-server authentication and keyagreement schemerdquo PLoS ONE vol 11 no 2 2016

[34] A G Reddy E-J Yoon A K Das V Odelu and K-Y YooldquoDesign of Mutually Authenticated Key Agreement ProtocolResistant to Impersonation Attacks for Multi-Server Environ-mentrdquo IEEE Access vol 5 pp 3622ndash3639 2017

[35] P Jiang Q Wen W Li Z Jin and H Zhang ldquoAn anonymousand efficient remote biometrics user authentication scheme ina multi server environmentrdquo Frontiers of Computer Science vol9 no 1 pp 142ndash156 2015

[36] A K Das P Sharma S Chatterjee and J K Sing ldquoA dynamicpassword-based user authentication scheme for hierarchicalwireless sensor networksrdquo Journal of Network and ComputerApplications vol 35 no 5 pp 1646ndash1656 2012

[37] D Wang Q Gu H Cheng and P Wang ldquoThe request forbetter measurement A comparative evaluation of two-factorauthentication schemesrdquo in Proceedings of 11th ACM AsiaConference on Computer and Communications Security ASIACCS pp 475ndash486 China June 2016

[38] S Qiu G Xu H Ahmad and L Wang ldquoA Robust MutualAuthentication Scheme Based on Elliptic Curve Cryptographyfor Telecare Medical Information Systemsrdquo IEEE Access vol 6pp 7452ndash7463 2017

[39] S Qiu G Xu H Ahmad and Y Guo ldquoAn enhanced passwordauthentication scheme for session initiation protocol withperfect forward secrecyrdquo PLoS ONE vol 13 no 3 2018

[40] M Burrows M Abadi and R Needham ldquoLogic of authentica-tionrdquo ACM Transactions on Computer Systems vol 8 no 1 pp18ndash36 1990

[41] D Wang and P Wang ldquoOn the anonymity of two-factorauthentication schemes for wireless sensor networksrdquo Com-puter Networks pp 73-41 2014

[42] D He and D Wang ldquoRobust Biometrics-Based AuthenticationScheme for Multiserver Environmentrdquo IEEE Systems Journalvol 9 no 3 pp 816ndash823 2015

[43] V Odelu A K Das and A Goswami ldquoA Secure Biometrics-Based Multi-Server Authentication Protocol Using SmartCardsrdquo IEEE Transactions on Information Forensics and Secu-rity vol 10 no 9 pp 1953ndash1966 2015

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


anonymity [12] In 2009 a remote multiserver authenticationscheme which satisfies anonymity property was proposed[13] but it does not have forward security [14] BesidesHsiang and Shih [15] presented a new protocol to resistvarious attacks however some drawbacks on mutual authen-tication are pointed out [16] Recently a big breakthrough iethe inner relationships of evaluation criteria for anonymoustwo-factor authentication protocol is explored by Wang etal [17] To improve the security of remote communicationsmart card gradually came into use in authentication whichmade it possible for more convenient authentication andcommunication Some remote authentication protocols formultiserver environment with a smart card were proposedbut proved to be insecure in the end [21ndash23]

Relying on smart card and password as the authenticationmethod already cannot meet todayrsquos needs In the latest fewyears more and more authentication protocols adopt bio-metrics messages in mutual authentication to strengthen thesecurity and enhance the efficiency of the existing protocolsIn 2010 Yang et al [24] introduced a three-factor multiserverauthentication protocol Unfortunately the protocol has lowcomputation efficiency and cannot resist the insider attack Liet al proposed an efficient protocol [25] which allows users tochange the password and the calculation cost is lowHowevertheir scheme cannot provide appropriate certification andfailed to resist man-in-the-middle attack [26] Adoptingelliptic curve cryptography Yoon et al [27] in 2011 designeda novel protocol unfortunately Kim et al [28] showed thatYoon et al [27] protocol is insecure In 2014 Chuang etal [29] put forward an anonymous protocol but Mishraet al [30] broke their protocol Later Lu et al [31] foundthat there are several weaknesses in Mishra et alrsquos improvedprotocol and they also presented an improved protocolwhich is broken by Reddy et al [32] Meanwhile Wang etal [33] also found that Mishra et alrsquos improved protocolis insecure Regrettably some weaknesses in Wang et alrsquosprotocol [33] were shown by Yang et al [24] and Reddy etal [34] separately Recently Jiang et al [35] and He et alput forwardmultiserver authenticated protocols using ellipticcurve cryptography(ECC) separately Unfortunately Odeluet al found that there are flaws in He et als protocol inlogin and password change phases and can not resist theimpersonation attack

All of the above three-factor multiserver authenticationprotocols can be categorized into two classes ie the pro-tocols which implement the authentication independent ofthe registration center and the protocols which need thehelp of the registration center in the authentication phaseAfter carefully examining the known three-factormultiserverauthentication protocols we find that almost all of the firstkind of protocols cannot resist the passive attack from anhonest-but-curious server since all servers share a commonsecret key More precisely an honest-but-curious server cancompute session keys which are shared between a userand other servers by eavesdropping messages transmittingbetween the users and other servers In this paper we takeWang et alrsquos protocol as an example to show how an honest-but-curious server obtains a session key which should be keptsecret from him Moreover we find some other drawbacks

in their protocol For example in the reregister or revocationphase a user can still use his original password to login andsend message even if he is revoked

To resist the passive attack from the honest-but-curiousservers a trivial solution is to distribute different secretkeys to different severs which would aggravate the userrsquosstorage burden Another method is introducing the regis-tration center into the authentication phase to deal withsecret messages As we mentioned above such protocols arebased on either ECCor symmetric encryption cryptosystemswhich heavily affect the computation efficiency To balancethe security problem brought by the honest-but-curiousservers and the efficiency problem brought by involving theregistration center into the authentication we propose a novelmultiserver authentication protocol In authentication phaseof new protocol the involved registration center only adoptshash and XOR operations for the computation instead ofECC and symmetric cryptosystem thus greatly improvingthe protocolrsquos computation efficiency As far as we known thisis the first time to consider the passive attack from honest-but-curious servers for multiserver authentication protocolsMoreover the new protocol is the first protocol which onlyadopts hash and XOR operations for computation wheninvolving the registration center into the authentication

The remaining of the paper is organized as followsSection 2 reviews and analyzes the security of Wang et alrsquosprotocol In Section 3 we present the new three-factor mul-tiserver authentication scheme in detail Section 4 providesthe formal and informal secure analysis of the new protocolIn Section 5 comparisons including security functionalitiescomputation cost and communication cost are conductedThe last section gives a conclusion

2 Some Weakness of Wang et alrsquos Scheme

We firstly give the details about Wang et alrsquos protocol andthen show how an honest-but-curious server attacks theirprotocol step by step

21 Review of Wang et alrsquos Protocol Wang et alrsquos protocolinvolves five phases ie registration phase login phaseauthentication phase password changing phase and revoca-tionreregistration phase which are executed by the user 119880119894the server 119878119895 and the registration center119877119862The symbols andnotations are listed in Table 1 Assume 119877119862 is a trusted thirdparty which is able to register for users and servers

Registration Phase(i) Registration phase of server

(a) 119878119895 sends a request message to 119877119862(b) 119877119862 authorizes 119878119895 once it receives the message

and returns 119875119878119870 (preshared key) to 119878119895 securely(c) 119878119895 uses 119875119878119870 to check 119880119894rsquos legitimacy in authen-

tication phase

(ii) Registration phase of user

(a) The new user 119880119894 inserts 119878119862119894 into the cardreader inputs 119868119863119894 119875119882119894 and imprints 119861119894 at the







Login Phase




(iv) 119878119862119894 sends 119861119894 11986311989411987211198722 119860119868119863119894 119879119894 to 119878119895












119899119894 = 119861119894 oplus 119877119875119882119894 oplus 119877119875119882

119899119894

119862119899119894 = 119862119894 oplus 119877119875119882119894 oplus 119877119875119882119899119894 and 119881

119899119894 = ℎ(119868119863119894 119877119875119882

119899119894 )


119899119894 and 119881119894 with 119881

119899119894

respectively


















3 The New Protocol






























(iv) 119878119862119894 sends 11986011986811986311989411987211198722 119861119894 119863119894 119879119894 to 119878119895




















119899119890119908119894 = 119861119894 oplus

119877119875119882119894 oplus 119877119875119882119899119890119908119894 119862119899119890119908119894 = 119861119899119890119908119894 oplus ℎ(119875119878119870) 119881119899119890119908119894 =

ℎ(119868119863119894 119877119875119882119899119890119908119894 ) 119864119899119890119908119894 = 119864119894 oplus 119877P119882119894 oplus 119877119875119882

119899119890119908119894 and

119865119899119890119908119894 = 119865119894 oplus 119877119875119882119894 oplus 119877119875119882119899119890119908119894


119865119899119890119908119894 and 119881119899119890119908119894









(g2) 119878119895| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(g4) 119880119894| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(m1) 119880119894 997888rarr 119878119895 (119868119863119894 119877119875119882119894 1198801198941198731larr997888rarr 119878119895)

119880119894

119909119894larrrarr119877119862

(m2) 119878119895 997888rarr 119877119862 (1198601198681198631015840119894 119878119868119863119895 119877119875119882119894 1198801198941198731larr997888rarr

119878119895)119878119895

119910119895


(m3) 119877119862 997888rarr 119878119895 (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895


(m4) 119878119895 997888rarr 119880119894 (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895

(m5) 119880119894 997888rarr 119878119895 (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895


(p1) 119880119894| equiv 1198731(p2) 119878119895| equiv 1198732

(p3)119880119894| equiv 119880119894119909119894larrrarr 119877119862

(p4) 119877119862| equiv 119880119894119909119894larrrarr 119877119862

(p5) 119878119895| equiv 119878119895119910119895larrrarr 119877119862

(p6) 119877119862| equiv 119878119895119910119895larrrarr 119877119862






119875119870larrrarr 119876



119875| equiv 119875119870larrrarr 119876119875 ⊲ 119883119870






119875| equiv (119883)119875| equiv (119883 119884)


119875| equiv 119883 119875| equiv 119884




(p10)119880119894| equiv 1198801198941198731larr997888rarr 119878119895

(p11) 119878119895| equiv 1198801198941198732larr997888rarr 119878119895

(p12) 119878119895| equiv 119879119888(p13) 119877119862| equiv 119879119895



(S1) 119878119895 ⊲ (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895





(S3) 119878119895| equiv (119879119888 1198801198941198731larr997888rarr 119878119895)






(S6) 119878119895| equiv 1198801198941198731larr997888rarr 119878119895


(S7) 119880119894 ⊲ (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895




(S9) 119880119894| equiv (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)








(S13) 119878119895 ⊲ (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895





(S15) 119878119895| equiv (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)










119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(1)



119860119889V119886119896119890119901 = 10038161003816100381610038162pr [1198640] minus 11003816100381610038161003816 (2)


pr [1198640] = pr [1198641] (3)



1003816100381610038161003816pr [1198642] minus pr [1198641]1003816100381610038161003816 =

1199022ℎ2 |119867119886119904ℎ|

(4)


1003816100381610038161003816pr [1198643] minus pr [1198642]1003816100381610038161003816 le

119862 sdot 1199021199041199041198901198991198892119897

(5)


pr [1198643] =1

2 (6)


119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(7)










1015840119894 119878119868119863119895 119910119895 119879119895) with





































6 Conclusion








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








Login Phase




(iv) 119878119862119894 sends 119861119894 11986311989411987211198722 119860119868119863119894 119879119894 to 119878119895












119899119894 = 119861119894 oplus 119877119875119882119894 oplus 119877119875119882

119899119894

119862119899119894 = 119862119894 oplus 119877119875119882119894 oplus 119877119875119882119899119894 and 119881

119899119894 = ℎ(119868119863119894 119877119875119882

119899119894 )


119899119894 and 119881119894 with 119881

119899119894

respectively


















3 The New Protocol






























(iv) 119878119862119894 sends 11986011986811986311989411987211198722 119861119894 119863119894 119879119894 to 119878119895




















119899119890119908119894 = 119861119894 oplus

119877119875119882119894 oplus 119877119875119882119899119890119908119894 119862119899119890119908119894 = 119861119899119890119908119894 oplus ℎ(119875119878119870) 119881119899119890119908119894 =

ℎ(119868119863119894 119877119875119882119899119890119908119894 ) 119864119899119890119908119894 = 119864119894 oplus 119877P119882119894 oplus 119877119875119882

119899119890119908119894 and

119865119899119890119908119894 = 119865119894 oplus 119877119875119882119894 oplus 119877119875119882119899119890119908119894


119865119899119890119908119894 and 119881119899119890119908119894









(g2) 119878119895| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(g4) 119880119894| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(m1) 119880119894 997888rarr 119878119895 (119868119863119894 119877119875119882119894 1198801198941198731larr997888rarr 119878119895)

119880119894

119909119894larrrarr119877119862

(m2) 119878119895 997888rarr 119877119862 (1198601198681198631015840119894 119878119868119863119895 119877119875119882119894 1198801198941198731larr997888rarr

119878119895)119878119895

119910119895


(m3) 119877119862 997888rarr 119878119895 (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895


(m4) 119878119895 997888rarr 119880119894 (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895

(m5) 119880119894 997888rarr 119878119895 (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895


(p1) 119880119894| equiv 1198731(p2) 119878119895| equiv 1198732

(p3)119880119894| equiv 119880119894119909119894larrrarr 119877119862

(p4) 119877119862| equiv 119880119894119909119894larrrarr 119877119862

(p5) 119878119895| equiv 119878119895119910119895larrrarr 119877119862

(p6) 119877119862| equiv 119878119895119910119895larrrarr 119877119862






119875119870larrrarr 119876



119875| equiv 119875119870larrrarr 119876119875 ⊲ 119883119870






119875| equiv (119883)119875| equiv (119883 119884)


119875| equiv 119883 119875| equiv 119884




(p10)119880119894| equiv 1198801198941198731larr997888rarr 119878119895

(p11) 119878119895| equiv 1198801198941198732larr997888rarr 119878119895

(p12) 119878119895| equiv 119879119888(p13) 119877119862| equiv 119879119895



(S1) 119878119895 ⊲ (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895





(S3) 119878119895| equiv (119879119888 1198801198941198731larr997888rarr 119878119895)






(S6) 119878119895| equiv 1198801198941198731larr997888rarr 119878119895


(S7) 119880119894 ⊲ (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895




(S9) 119880119894| equiv (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)








(S13) 119878119895 ⊲ (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895





(S15) 119878119895| equiv (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)










119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(1)



119860119889V119886119896119890119901 = 10038161003816100381610038162pr [1198640] minus 11003816100381610038161003816 (2)


pr [1198640] = pr [1198641] (3)



1003816100381610038161003816pr [1198642] minus pr [1198641]1003816100381610038161003816 =

1199022ℎ2 |119867119886119904ℎ|

(4)


1003816100381610038161003816pr [1198643] minus pr [1198642]1003816100381610038161003816 le

119862 sdot 1199021199041199041198901198991198892119897

(5)


pr [1198643] =1

2 (6)


119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(7)










1015840119894 119878119868119863119895 119910119895 119879119895) with





































6 Conclusion








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia
















3 The New Protocol






























(iv) 119878119862119894 sends 11986011986811986311989411987211198722 119861119894 119863119894 119879119894 to 119878119895




















119899119890119908119894 = 119861119894 oplus

119877119875119882119894 oplus 119877119875119882119899119890119908119894 119862119899119890119908119894 = 119861119899119890119908119894 oplus ℎ(119875119878119870) 119881119899119890119908119894 =

ℎ(119868119863119894 119877119875119882119899119890119908119894 ) 119864119899119890119908119894 = 119864119894 oplus 119877P119882119894 oplus 119877119875119882

119899119890119908119894 and

119865119899119890119908119894 = 119865119894 oplus 119877119875119882119894 oplus 119877119875119882119899119890119908119894


119865119899119890119908119894 and 119881119899119890119908119894









(g2) 119878119895| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(g4) 119880119894| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(m1) 119880119894 997888rarr 119878119895 (119868119863119894 119877119875119882119894 1198801198941198731larr997888rarr 119878119895)

119880119894

119909119894larrrarr119877119862

(m2) 119878119895 997888rarr 119877119862 (1198601198681198631015840119894 119878119868119863119895 119877119875119882119894 1198801198941198731larr997888rarr

119878119895)119878119895

119910119895


(m3) 119877119862 997888rarr 119878119895 (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895


(m4) 119878119895 997888rarr 119880119894 (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895

(m5) 119880119894 997888rarr 119878119895 (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895


(p1) 119880119894| equiv 1198731(p2) 119878119895| equiv 1198732

(p3)119880119894| equiv 119880119894119909119894larrrarr 119877119862

(p4) 119877119862| equiv 119880119894119909119894larrrarr 119877119862

(p5) 119878119895| equiv 119878119895119910119895larrrarr 119877119862

(p6) 119877119862| equiv 119878119895119910119895larrrarr 119877119862






119875119870larrrarr 119876



119875| equiv 119875119870larrrarr 119876119875 ⊲ 119883119870






119875| equiv (119883)119875| equiv (119883 119884)


119875| equiv 119883 119875| equiv 119884




(p10)119880119894| equiv 1198801198941198731larr997888rarr 119878119895

(p11) 119878119895| equiv 1198801198941198732larr997888rarr 119878119895

(p12) 119878119895| equiv 119879119888(p13) 119877119862| equiv 119879119895



(S1) 119878119895 ⊲ (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895





(S3) 119878119895| equiv (119879119888 1198801198941198731larr997888rarr 119878119895)






(S6) 119878119895| equiv 1198801198941198731larr997888rarr 119878119895


(S7) 119880119894 ⊲ (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895




(S9) 119880119894| equiv (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)








(S13) 119878119895 ⊲ (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895





(S15) 119878119895| equiv (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)










119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(1)



119860119889V119886119896119890119901 = 10038161003816100381610038162pr [1198640] minus 11003816100381610038161003816 (2)


pr [1198640] = pr [1198641] (3)



1003816100381610038161003816pr [1198642] minus pr [1198641]1003816100381610038161003816 =

1199022ℎ2 |119867119886119904ℎ|

(4)


1003816100381610038161003816pr [1198643] minus pr [1198642]1003816100381610038161003816 le

119862 sdot 1199021199041199041198901198991198892119897

(5)


pr [1198643] =1

2 (6)


119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(7)










1015840119894 119878119868119863119895 119910119895 119879119895) with





































6 Conclusion








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia

























(iv) 119878119862119894 sends 11986011986811986311989411987211198722 119861119894 119863119894 119879119894 to 119878119895




















119899119890119908119894 = 119861119894 oplus

119877119875119882119894 oplus 119877119875119882119899119890119908119894 119862119899119890119908119894 = 119861119899119890119908119894 oplus ℎ(119875119878119870) 119881119899119890119908119894 =

ℎ(119868119863119894 119877119875119882119899119890119908119894 ) 119864119899119890119908119894 = 119864119894 oplus 119877P119882119894 oplus 119877119875119882

119899119890119908119894 and

119865119899119890119908119894 = 119865119894 oplus 119877119875119882119894 oplus 119877119875119882119899119890119908119894


119865119899119890119908119894 and 119881119899119890119908119894









(g2) 119878119895| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(g4) 119880119894| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(m1) 119880119894 997888rarr 119878119895 (119868119863119894 119877119875119882119894 1198801198941198731larr997888rarr 119878119895)

119880119894

119909119894larrrarr119877119862

(m2) 119878119895 997888rarr 119877119862 (1198601198681198631015840119894 119878119868119863119895 119877119875119882119894 1198801198941198731larr997888rarr

119878119895)119878119895

119910119895


(m3) 119877119862 997888rarr 119878119895 (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895


(m4) 119878119895 997888rarr 119880119894 (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895

(m5) 119880119894 997888rarr 119878119895 (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895


(p1) 119880119894| equiv 1198731(p2) 119878119895| equiv 1198732

(p3)119880119894| equiv 119880119894119909119894larrrarr 119877119862

(p4) 119877119862| equiv 119880119894119909119894larrrarr 119877119862

(p5) 119878119895| equiv 119878119895119910119895larrrarr 119877119862

(p6) 119877119862| equiv 119878119895119910119895larrrarr 119877119862






119875119870larrrarr 119876



119875| equiv 119875119870larrrarr 119876119875 ⊲ 119883119870






119875| equiv (119883)119875| equiv (119883 119884)


119875| equiv 119883 119875| equiv 119884




(p10)119880119894| equiv 1198801198941198731larr997888rarr 119878119895

(p11) 119878119895| equiv 1198801198941198732larr997888rarr 119878119895

(p12) 119878119895| equiv 119879119888(p13) 119877119862| equiv 119879119895



(S1) 119878119895 ⊲ (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895





(S3) 119878119895| equiv (119879119888 1198801198941198731larr997888rarr 119878119895)






(S6) 119878119895| equiv 1198801198941198731larr997888rarr 119878119895


(S7) 119880119894 ⊲ (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895




(S9) 119880119894| equiv (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)








(S13) 119878119895 ⊲ (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895





(S15) 119878119895| equiv (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)










119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(1)



119860119889V119886119896119890119901 = 10038161003816100381610038162pr [1198640] minus 11003816100381610038161003816 (2)


pr [1198640] = pr [1198641] (3)



1003816100381610038161003816pr [1198642] minus pr [1198641]1003816100381610038161003816 =

1199022ℎ2 |119867119886119904ℎ|

(4)


1003816100381610038161003816pr [1198643] minus pr [1198642]1003816100381610038161003816 le

119862 sdot 1199021199041199041198901198991198892119897

(5)


pr [1198643] =1

2 (6)


119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(7)










1015840119894 119878119868119863119895 119910119895 119879119895) with





































6 Conclusion








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia

















119899119890119908119894 = 119861119894 oplus

119877119875119882119894 oplus 119877119875119882119899119890119908119894 119862119899119890119908119894 = 119861119899119890119908119894 oplus ℎ(119875119878119870) 119881119899119890119908119894 =

ℎ(119868119863119894 119877119875119882119899119890119908119894 ) 119864119899119890119908119894 = 119864119894 oplus 119877P119882119894 oplus 119877119875119882

119899119890119908119894 and

119865119899119890119908119894 = 119865119894 oplus 119877119875119882119894 oplus 119877119875119882119899119890119908119894


119865119899119890119908119894 and 119881119899119890119908119894









(g2) 119878119895| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(g4) 119880119894| equiv 119880119894119878119870119894119895larr997888rarr 119878119895


(m1) 119880119894 997888rarr 119878119895 (119868119863119894 119877119875119882119894 1198801198941198731larr997888rarr 119878119895)

119880119894

119909119894larrrarr119877119862

(m2) 119878119895 997888rarr 119877119862 (1198601198681198631015840119894 119878119868119863119895 119877119875119882119894 1198801198941198731larr997888rarr

119878119895)119878119895

119910119895


(m3) 119877119862 997888rarr 119878119895 (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895


(m4) 119878119895 997888rarr 119880119894 (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895

(m5) 119880119894 997888rarr 119878119895 (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895


(p1) 119880119894| equiv 1198731(p2) 119878119895| equiv 1198732

(p3)119880119894| equiv 119880119894119909119894larrrarr 119877119862

(p4) 119877119862| equiv 119880119894119909119894larrrarr 119877119862

(p5) 119878119895| equiv 119878119895119910119895larrrarr 119877119862

(p6) 119877119862| equiv 119878119895119910119895larrrarr 119877119862






119875119870larrrarr 119876



119875| equiv 119875119870larrrarr 119876119875 ⊲ 119883119870






119875| equiv (119883)119875| equiv (119883 119884)


119875| equiv 119883 119875| equiv 119884




(p10)119880119894| equiv 1198801198941198731larr997888rarr 119878119895

(p11) 119878119895| equiv 1198801198941198732larr997888rarr 119878119895

(p12) 119878119895| equiv 119879119888(p13) 119877119862| equiv 119879119895



(S1) 119878119895 ⊲ (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895





(S3) 119878119895| equiv (119879119888 1198801198941198731larr997888rarr 119878119895)






(S6) 119878119895| equiv 1198801198941198731larr997888rarr 119878119895


(S7) 119880119894 ⊲ (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895




(S9) 119880119894| equiv (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)








(S13) 119878119895 ⊲ (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895





(S15) 119878119895| equiv (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)










119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(1)



119860119889V119886119896119890119901 = 10038161003816100381610038162pr [1198640] minus 11003816100381610038161003816 (2)


pr [1198640] = pr [1198641] (3)



1003816100381610038161003816pr [1198642] minus pr [1198641]1003816100381610038161003816 =

1199022ℎ2 |119867119886119904ℎ|

(4)


1003816100381610038161003816pr [1198643] minus pr [1198642]1003816100381610038161003816 le

119862 sdot 1199021199041199041198901198991198892119897

(5)


pr [1198643] =1

2 (6)


119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(7)










1015840119894 119878119868119863119895 119910119895 119879119895) with





































6 Conclusion








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





119875119870larrrarr 119876



119875| equiv 119875119870larrrarr 119876119875 ⊲ 119883119870






119875| equiv (119883)119875| equiv (119883 119884)


119875| equiv 119883 119875| equiv 119884




(p10)119880119894| equiv 1198801198941198731larr997888rarr 119878119895

(p11) 119878119895| equiv 1198801198941198732larr997888rarr 119878119895

(p12) 119878119895| equiv 119879119888(p13) 119877119862| equiv 119879119895



(S1) 119878119895 ⊲ (119879119888 1198801198941198731larr997888rarr 119878119895)

119878119895

119910119895





(S3) 119878119895| equiv (119879119888 1198801198941198731larr997888rarr 119878119895)






(S6) 119878119895| equiv 1198801198941198731larr997888rarr 119878119895


(S7) 119880119894 ⊲ (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)

1198801198941198731larr997888rarr119878119895




(S9) 119880119894| equiv (119878119868119863119895 1198731 119880119894119878119870119894119895larr997888rarr 119878119895)








(S13) 119878119895 ⊲ (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)

11988011989411987311198732larr997888997888997888rarr119878119895





(S15) 119878119895| equiv (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)










119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(1)



119860119889V119886119896119890119901 = 10038161003816100381610038162pr [1198640] minus 11003816100381610038161003816 (2)


pr [1198640] = pr [1198641] (3)



1003816100381610038161003816pr [1198642] minus pr [1198641]1003816100381610038161003816 =

1199022ℎ2 |119867119886119904ℎ|

(4)


1003816100381610038161003816pr [1198643] minus pr [1198642]1003816100381610038161003816 le

119862 sdot 1199021199041199041198901198991198892119897

(5)


pr [1198643] =1

2 (6)


119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(7)










1015840119894 119878119868119863119895 119910119895 119879119895) with





































6 Conclusion








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




(S15) 119878119895| equiv (1198731 1198732 119880119894119878119870119894119895larr997888rarr 119878119895)










119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(1)



119860119889V119886119896119890119901 = 10038161003816100381610038162pr [1198640] minus 11003816100381610038161003816 (2)


pr [1198640] = pr [1198641] (3)



1003816100381610038161003816pr [1198642] minus pr [1198641]1003816100381610038161003816 =

1199022ℎ2 |119867119886119904ℎ|

(4)


1003816100381610038161003816pr [1198643] minus pr [1198642]1003816100381610038161003816 le

119862 sdot 1199021199041199041198901198991198892119897

(5)


pr [1198643] =1

2 (6)


119860119889V119886119896119890119901 le1199022ℎ

|119867119886119904ℎ|+119862 sdot 1199021199041199041198901198991198892119897minus1

(7)










1015840119894 119878119868119863119895 119910119895 119879119895) with





































6 Conclusion








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







1015840119894 119878119868119863119895 119910119895 119879119895) with





































6 Conclusion








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



























6 Conclusion








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








Data Availability




Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


a secure three-factor multiserver authentication protocol...

Documents