Computer Networks 55 (2011) 205–213

Contents lists available at ScienceDirect

Computer Networks

journal homepage: www.elsevier .com/ locate/comnet

Provable secure authentication protocol with anonymity for roamingservice in global mobility networks

Tao Zhou a,c, Jing Xu b,⇑a State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, Beijing 100190, Chinab State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190, Chinac National Engineering Research Center of Information Security, Beijing 100190, China

a r t i c l e i n f o

Article history:Received 2 March 2010Received in revised form 5 July 2010Accepted 21 August 2010Available online 8 September 2010Responsible Editor: Y. Cheng

Keywords:AuthenticationAnonymityWireless roamingProvable security

1389-1286/$ - see front matter � 2010 Elsevier B.Vdoi:10.1016/j.comnet.2010.08.008

⇑ Corresponding author. Address: Institute of Sofemy of Sciences, 4# South Fourth Street, Zhong GuaBeijing 100190, China. Tel.: +86 10 62661721; fax:

E-mail address: xujing@is.iscas.ac.cn (J. Xu).

a b s t r a c t

User authentication is an important security mechanism for recognizing legal roamingusers. The emerging global mobility network, however, has called for new requirementsfor designing authentication schemes due to its dynamic nature and vulnerable-to-attackstructure, which the traditional schemes overlooked, such as user anonymity. In this paper,we propose an efficient wireless authentication protocol with user anonymity for roamingservice. We also introduce a formal security model suitable for roaming service in globalmobility networks and show that the proposed protocol is provable secure based on thismodel. To the best of our knowledge, this paper offers the first formal study of anonymousauthentication scheme for roaming service in global mobility networks. In addition, wepoint out some practical attacks on Chang et al.’s authentication scheme with user ano-nymity for roaming environments.

� 2010 Elsevier B.V. All rights reserved.

1. Introduction

Rapid development of wireless networks brings aboutmany security problems in mobile communications. A spe-cial network environment provides personal communica-tion users with a global roaming service called the globalmobility network (GLOMONET) [1]. Through universalroaming technology, mobile users can access the servicesprovided by the home agent in a foreign network. In theGLOMONET, the typical approach to securing roaming ser-vice for a mobile user between his home network and aforeign network being visited is to employ strong authen-tication measures. When a mobile station M roams to a for-eign network managed by a foreign agent F, it performsauthentication with the F, under the assistance of his homeagent H in the home network. A session key is set up to

. All rights reserved.

tware Chinese Acad-n Cun, P.O. Box 8718,+86 10 62661700.

encrypt further communications in the session betweenM and its foreign agent F if the authentication is successful.

Over the past years, many authentication protocols forthe GLOMONET have been proposed [1–9]. Particularly,in 2004, Zhu and Ma [5] proposed a wireless authentica-tion protocol using smart cards. Unfortunately, Lee et al.[6,7] pointed out that Zhu et al.’s protocol [5] does notachieve mutual authentication, and is subject to the forg-ery attack. Lee et al. [7,8] also proposed an improvementto overcome the weakness in Zhu et al.’s protocol. How-ever, very recently, Chang et al. [9] showed that Lee etal.’s protocol [8] still suffers from the forgery attack andproposed an improved version of Lee et al.’s protocol soas to remedy the identified deficiencies. Thus it is oftenthat such a protocol is broken and a minor fix proposed,etc. This cycle continues resulting in many slightly differ-ent protocol variants because breaks and subsequent fixesare heuristically done. What is clearly desirable but has notbeen provided until now, is a wireless authentication pro-tocol with provable security.

Our work is aimed at filling this void. We define a for-mal security model suitable for wireless anonymous

Table 1Notations.

H Home agent of a mobile userF Foreign agent of the networkM Mobile usernA Sufficiently large random number generated by AIDA Identity of an entity AEK(X) Encryption of a message X using an symmetric key Kh(X) A one-way hash functionk Concatenation� XOR operation

206 T. Zhou, J. Xu / Computer Networks 55 (2011) 205–213

authentication protocol in GLOMONET. Then we present anew authentication protocol with anonymity for roamingservice that provably satisfies this notion of security, underwidely-believed computational–complexity assumptions.In addition, we also show that Chang et al.’s protocol [9]is totally insecure. The vulnerability allows an insideradversary (i.e., a legitimate but malicious system user) toreveal the identities of all other mobile users registeredwith the same home agent H. Moreover, the protocol [9]does not provide confidentiality of session keys that is de-sired of authentication protocols. In other words, an adver-sary can compromise the session key between a mobileuser M and its foreign agent F.

The remainder of this paper is organized as follows. Sec-tion 2 reviews the protocol [9], whose weaknesses are pin-pointed in Section 3. Section 4 introduces the formalsecurity model. We then propose a new wireless authenti-cation protocol with anonymity in Section 5, whose secu-rity and performance are analyzed in Section 6. Section 7concludes.

For ease of presentation, we employ some intuitiveabbreviations and symbols, which are summarized inTable 1.

2. Review of Chang et al.’s protocol

Chang et al.’s protocol [9], which is claimed to be asecurity enhancement on Lee et al.’s scheme [8], consistsof two phases. In Phase I, the home agent H securely issuesa smart card to a mobile user M. In Phase II, mutualauthentication between M and a foreign agent F is per-formed under the assistance of the home agent H. Ifauthenticated, M can access the wireless services from F,and an agreed session key is established between them.

2.1. Phase I: registration

In this phase, a new mobile user M submits his identityIDM and the selected password PWM to his home agent Hfor registration. Then H uses its private key x to computeR = h(IDMkx) � PWM and h(x), and delivers a smart card,which contains {IDM, IDH, R, h(x), h(�)}, to M through a se-cure channel.

2.2. Phase II: mutual authentication between M and F

When M visits a foreign network managed by F, heauthenticates himself to F to show that he is a subscriber

to his home network managed by H. The steps of this phaseare outlined in Fig. 1 and explained as follows:

(1) M inserts his smart card into the device and enterspassword PW�

M . The device generates a nonce nM

randomly and calculate the parameter C ¼ ðR�PW�

MÞ � nM . Then the device, on behalf of M, sendsa login message m1 = {Login request, nM, IDH} to Ffor authentication.

(2) Upon receiving m1, F records the nonce nM, generatesa random nonce nF, and sends an authenticationmessage m2 = {Authentication request, nF, IDF} to H.

(3) Upon receiving m2, H checks whether IDF is valid. Ifso, H generates a nonce nH and sends a messagem3 = {nH, IDH} to F.

(4) Upon receiving m3, F sends a message m4 = {nH, nF,IDF} to M.

(5) Upon receiving m4, M computes SID = IDM �h(h(x)knH), V1 = h(nHkC), SK = h(h(x)kIDMkIDFk nF),V2 = SK � h(nFkIDM), and S1 = h(nFkSIDkV1kV2knM).The shadow identity SID is used to provide user ano-nymity, and SK is the session key. Then, M sends amessage m5 = {SID,V1, V2, nM, S1, IDH} to F.

(6) Upon receiving m5, F computes S�1 ¼ hðnFkSIDkV1kV2knMÞ, and checks whether S�1 ¼ S1. If so, F com-putes S2 = h(KFHknHkSIDkV1kV2knM) and sends a mes-sage m6 = {SID, V1, V2, nM, S2, IDF} to H, where KFH is ashared symmetric key between F and H.

(7) Upon receiving m6, H first checks whether IDF isvalid. Then H computes S�2 ¼ hðKFHknHkSIDkV1kV2kNmÞ and checks whether S�2 ¼ S2. If so, H computesIDM = SID � h(h(x)knH), C* = nM � h(IDM kx), andV�1 ¼ hðnHkC�Þ. Then H checks whether IDM is validand whether the equation V�1 ¼ V1 holds. If so, Hcomputes SK = V2 � h(nHkIDM), K1 = SK � h(KFHknF),V3 = h(IDFkh(x)knM), and S3 = h(KFHknFkK1kV3), andsends message m7 = {K1, V3, S3} to F.

(8) Upon receiving m7, F computes S�3 ¼ hðKFHknFkK1kV3Þ and checks whether S�3 ¼ S3. If so, itbelieves that M is an authorized user. F can obtainthe session key SK = K1 � h(KFHknF). Then F computesK2 = SK � h(SKknM) and sends message m8 = {V3, K2}to M.

(9) Upon receiving m8, M computes V�3 ¼ hðIDFkhðxÞknMÞand SK* = K2 � h(SKknM). If V�3 ¼ V3 and SK* = SK, Mbelieves F is authenticated and records the authenti-cated session key SK for future communications withF.

3. Weakness of Chang et al.’s protocol

Next, we show that Chang et al.’s improved protocol [9]still has several serious deficiencies.

3.1. Attack against the user anonymity

In mobile networks, to prevent unauthorized entitiesfrom tracking the mobile user’s movements and currentwhereabouts (which may be a serious violation of his pri-vacy), it is important to assure user anonymity so that theuser’s real identity can only be recognized by his home

Fig. 1. Authentication and key establishment phases of Chang-Lee-Chiu’s scheme.

T. Zhou, J. Xu / Computer Networks 55 (2011) 205–213 207

agent. We begin with an insider attack against the useranonymity featured in [9]. Consider a legitimate but mali-cious user MA registered with H, which is also the homeagent of many other mobile users like an innocent M. Theanonymity in Chang et al.’s scheme [9] can be easily com-promised by the insider attacker MA:

(1) In Phase II the mutual authentication between Mand F; MA eavesdrops messages m4 and m5 overthe air, where m4 = {nH, nF, IDF} and m5 = {SID, V1,V2, nM, S1, IDH}.

(2) MA uses message m4 as the input of its own smartcard, then the card will output SIDA ¼ IDA � hðhðxÞknHÞ.

(3) Since MA and M belong to the same home networkH, the equation

SID� IDM ¼ SIDA � IDA ¼ hðhðxÞknHÞ

holds. So M’s identity can be revealed by MA simply withIDM ¼ SID� SIDA � IDA.

Essentially, MA can reveal the identity of any other mo-bile user registered with the same H. The above simple at-tack exploits the fact that in [9] the same h(x) is employedby H for different legal users.

3.2. Attack against confidentiality

More seriously, once the adversary MA obtains the iden-tity of any mobile user M, he can reveal the session keyagreed between M and the foreign agent F. Actually, in[9], the confidentiality of the session key SK relies on theanonymity M’s real identity. A more detailed descriptionof the attack is as follows:

(1) MA launches attack against the user anonymity asabove, and obtains M’s real identity IDM.

(2) MA eavesdrops messages m4 and m5 between M andhis foreign agent F, and obtains nH and V2. Then MA

reveals the session key by SK = V2 � h(nHkIDM).

These two steps are enough to obtain the session keySK. Moreover, MA can verify the validity of SK by usingmessage m8, just like how M does. So MA could eavesdropall encrypted messages with the session key SK on futurecommunications between M and F. That is to say, Changet al.’s scheme can not provide the session keyconfidentiality.

4. Security model for wireless authentication protocols

Chang et al.’s protocol [9] was proved secure based onBAN logic. It is worthwhile to discuss why the securityproof failed to capture attacks as above. Surprisingly, theuser anonymity, a claimed security property, is not consid-ered in their security proof. Furthermore, the basicassumption A12 (i.e. the identity of the mobile user M isunknown for anyone except M) used by their proof doesnot hold. Actually, it’s not a good choice to use BAN logicfor security proof. Thus we adopt the methods of provablesecurity to prove the security of authentication protocolsfor roaming service in GLOMONET. Next, we introducethe formal security model for wireless authentication pro-tocol and define the semantic security of the session key. Inaddition, we formally define the special security require-ments of authentication protocols for roaming service inGLOMONET, such as the user anonymity.

4.1. Formal security model

In this subsection, we introduce a formal security mod-el, which is mainly adopted from Bellare et al. [10,11].

208 T. Zhou, J. Xu / Computer Networks 55 (2011) 205–213

However, the capabilities of the adversary considered inour model is stronger and more comprehensive. Specifi-cally, we allow an adversary may either reveal all the se-crets stored in a user’s smart card, or compromise theuser’s password, but not both of them[12,13].

(1) Participants and initialization:In an authentication protocol for roaming service inglobal mobility networks, each participant is either amobile user M, a foreign agent F, or a home agent H.The home agent H holds a private key skH for himselfand a secret key KFH for the foreign agent F. Eachmobile user M holds a password pwM, which is cho-sen from the small dictionary D whose distributionis Dpw. Additionally, when the mobile user M enrollsin the home agent H, H stores tM into a smart cardand issues it to the mobile user M, where tM is an(injective) transformation of pwM and skH. Each for-eign agent F shares a secret key KFH with the homeagent H.

(2) Execution of the protocol:The interaction between an adversary A and theprotocol participants occurs only via oracle queries,which model the adversary capabilities in a realattack. Let Pi denote the instance i of a participantP, where P is a mobile user or a foreign agent, butnot a home agent. All possible oracle queries arelisted in the following:

– Execute(Mi, Fj, Hk): This oracle is used to simulate

eavesdropping attack of the adversary. The out-put of this query consists of the messages thatwere exchanged during the honest execution ofthe protocol.

– Reveal(Pi): This query models the misuse of ses-sion keys. It returns to the adversary the sessionkey of participant instance Pi, if the latter isdefined.

– Send(Pi/Hi, m): This query models an activeattack. It outputs the message that participantinstance Pi or Hi would generate upon receipt ofmessage m.

– Corrupt(M, a): This query models corruptioncapability of the adversary. If a = 1, it outputsthe password pwM of M. If a = 2, it outputs mes-sages stored in the smart card, including tM.

– Test(Pi): This oracle query is not used to simulatethe adversary’s attack, but to define session key’ssemantic security. After querying the oracles, thesession key of Pi or a random number will bereturned according to a predefined random bitb. If b = 1, the adversary would learn the sessionkey of Pi; otherwise the adversary only learns arandom number with the same length. This querycan be called only once.

(3) Notation:We say an instance Pi has accepted if it goes into anaccept mode after receiving the last expected proto-col message. The session identification (sid) ofinstance Pi is the (ordered) concatenation of all mes-sage generated during the protocol execution.

(4) Partnering:Let M be mobile user and F be his foreign agent. Wesay that instances Mi and Fj are partnered if the fol-lowing conditions are met: (1) both Mi and Fj accept;(2) both Mi and Fj share the same sid; (3) Mi is Fj’spartner and vice versa.

(5) Freshness:We say that an instance Pi is fresh if the followingconditions hold: (1) it has accepted; (2) no Revealqueries have been made to P or its partner; (3) if Pis a mobile user, strictly less than 2 Corrupt-querieshave been made to P. Else if P is a foreign agent,strictly less than 2 Corrupt-queries have been madeto P’s partner.

4.2. Formal security definition

In this subsection we define semantic security of thesession key and anonymity of mobile user’s identity.

(1) Semantic security:For any adversary A, let SuccðAÞ be the event that Amakes a single Test query directed to some freshinstance Pi that has terminated, and eventually outputsa bit b0, where b0 = b for the bit b that was selected inthe Test query. Let D be mobile user’s password dictio-nary. The advantage of A in violating the semanticsecurity of the protocol L is defined to be

AdvL;DðAÞ ¼ 2Pr½SuccðAÞ� � 1:

We say that authentication protocol for roaming ser-vice is semantically secure if the advantageAdvL;DðAÞ is only negligibly larger than OðqsÞ=jDj,where qs is the number of active sessions, and jDjis the size of the password dictionary.

(2) User anonymity:The aim of user anonymity is to make sure thatbesides the mobile user M himself and his homeagent H, no one including the foreign agent can tellthe identity of the user [14,15]. To define anonymity,three more oracle queries, except Execute, Reveal,Corrupt and Send, are needed. They are list as follows:

– CorruptF(F): This query models corruption capa-

bility of the adversary. It outputs the specific for-eign agent F’s secret key KFH.

– RevealID(Mi): This query models the misuse ofuser identity. It returns to the adversary the realidentity of participant instance Mi, if the latter isdefined.

– TestAnon(Mi, ID0, ID1): This oracle query is notused to simulate the adversary’s attack, but todefine anonymity of user identity. After queryingthe oracle, the transcript of Mi with identity ID0 orID1 will be returned according to a predefinedrandom bit c. If c = 1, the adversary would learnthe transcript of Mi with identity ID1; otherwisethe adversary learns the transcript of Mi withidentity ID0. This query can be called only once.

T. Zhou, J. Xu / Computer Networks 55 (2011) 205–213 209

We say that an instance Mi is anonymity-fresh if the fol-lowing conditions hold: (1) it has accepted; (2) no RevealIDqueries have been made to M; and (3) strictly less than 2Corrupt-queries have been made to M.

For any adversary A, let SuccanonðAÞ be the event that Amakes a single TestAnon query directed to some anonym-ity-fresh instance Mi that has terminated, and eventuallyoutputs a bit c0, where c0 = c for the bit c that was selectedin the TestAnon query. The advantage of A in violating theanonymity of the protocol L is defined to be

AdvanonL ðAÞ ¼ 2Pr½SuccanonðAÞ� � 1:

We say that authentication protocol for roaming serviceprovides user anonymity if the advantage Advanon

L ðAÞ isnegligible.

5. Our proposed protocol

The weaknesses of Chang et al.’s protocol [9] root in thefact that there is a binding between user’s identity IDM andhis SID. The flaw allows an inner adversary to reveal theidentity of any other user registered with the same homeagent. To address these issues, we present a new mutualauthentication protocol with anonymity for roaming ser-vices in wireless environments. Similar to the protocol[9], our protocol also employs a user password and a smartcard, but can really preserve the identity anonymity andprovide the session key confidentiality. Our protocol con-sists of two phases.

5.1. Phase I: registration

To initialize, H selects large prime number p, q(p = 2q + 1) and a multiplicative group generator g of orderq. H also chooses its secret key b 2 Z�q and an appropriateone-way hash function hð�Þ : f0;1g� ! Z�p. Then the schemeproceeds in the following steps:

(1) M submits his/her identity IDM and the selectedpassword PWM to H for registration.

(2) Then H computes B = gbmodp and u = h(IDMkb) �PWM. H issues a smart card containing {p, g, B, h(�),u} and delivers it to M through a secure channel.

5.2. Phase II: mutual authentication between M and F

In this phase (outlined in Fig. 2), the user M and a for-eign agent F perform mutual authentication and agree ona session key.

(1) When M enters a foreign network managed by F, heinputs his identity IDM and his password PW�

M to thesmart card. Then the device appropriately choosestwo random numbers a and nM, computesA ¼ gamodp; D ¼ Bamodp; C ¼ u� PW�

M; SID ¼ IDM

�hðDknMÞ, and V1 = h(CkD). Then the device, onbehalf of M, sends a message m1 = {nM, A, SID, V1,IDH} to F. Note that actually A and D can be pre-com-puted off-line.

(2) Upon receiving m1, F randomly chooses nF, computesS1 = h(KFHknMkAkSIDkV1knFkIDF), and sends a mes-sage m2 = {nM, A, SID,V1, nF, IDF, S1} to H, where KFH

is a pre-shared symmetric key between F and H.(3) Upon receiving m2, H computes S�1 ¼ hðKFHknMk

AkSIDkV1knFkIDFÞ and checks whether S�1 ¼ S1. If so,

H computes D� ¼ Abmodp; ID�M ¼ SID� hðD�knMÞand V�1 ¼ hðhðID�MkbÞkD

�Þ. Then H checks whetherID�M is a legal identity and whether the equationV�1 ¼ V1 holds. If both conditions are met, H contin-ues to compute SK ¼ hðD�kID�MknMkIDFknFÞ; K1 ¼SK� hðKFHknFÞ; V2 ¼ hðD�knMkIDFÞ; S2 ¼ hðKFHkjnF K1kV2Þ, and sends a message m3 = {K1, V2, S2} to F.

(4) Upon receiving m3, F computes S�2 ¼ hðKFHknFkK1kV2Þ; SK ¼ K1 � hðKFHknFÞ, and checks whether theequation S�2 ¼ S2 holds. If so, it believes that M isan authorized user and forwards a messagem4 = {IDF, nF, V2} to M.

(5) Upon receiving m4, M computes V�2 ¼ hðDknMkIDFÞ,and checks whether the equation V�2 ¼ V2 holds. Ifso, M believes that F is authenticated and computesthe agreed session key SK = h(DkIDMknMkIDFknF).

Our scheme achieves mutual authentication. It isimpossible for the adversary A to impersonate a legitimateuser M, since H authenticates M according to V1 (recallFig. 2), where V1 = h(CkD), C = u � PWM and D = Ba modp.However, the attack model allows A to acquire either M’ssmart card or his password, but not both. Therefore, A isblind to either the u entitled to M or M’s password PWM.Moreover, an adversary A cannot impersonate H to cheateither F or M. This is due to that in Msg. 3, S2 intendedfor F is protected by KFH and verified with nF, and V2 in-tended for M is protected by D and verified with nM.

6. Analysis of proposed protocol

In this section, we analyze the security and perfor-mance of our proposed protocol. The results show thatour protocol is optimal for roaming service in GLOMONET,both in security and efficiency.

6.1. Security analysis

Before stating the semantic security and anonymity re-sults, we recall the computational assumptions on whichthe security proof relies.

6.1.1. Computational Diffie–Hellman (CDH) assumptionLet G be a finite cyclic group of prime order p generated

by an element g. Let A be a CDH-adversary with running

time at most t. We denote by AdvcdhG ðAÞ the probability that

A succeeds in computing gxy from (gx, gy) and by

AdvcdhG ðtÞ ¼ maxAfAdvcdh

G ðAÞg, where the maximum is ta-ken over all the adversaries with the running time beingat most t. We say that the CDH assumption holds in G if

AdvcdhG ðtÞ is negligible.

Fig. 2. Mutual authentication phase of our proposed protocol.

210 T. Zhou, J. Xu / Computer Networks 55 (2011) 205–213

6.1.2. Decisional Diffie–Hellman (DDH) assumptionLet G be a finite cyclic group of prime order p generated

by an element g. Let A be a DDH-adversary with runningtime at most t. We denote by Advddh

G ðAÞ the probability thatA succeeds in deciding whether Z = gxy from (gx, gy, Z) andby Advddh

G ðtÞ ¼ maxAfAdvddhG ðAÞg, where the maximum is

taken over all the adversaries with the running time beingat most t. We say that the DDH assumption holds in G ifAdvddh

G ðtÞ is negligible.

Lemma 1. For a positive integer N, and say q elementsy1, . . ., yq are chosen uniformly and independently from a set ofsize N. Then the probability that there exist distinct i, j withyi = yj is at most q2

2N.

Proof. Let Coll denote the event that there exist distinct i, jwith yi = yj, and let Colli, j denote the event of yi = yj. It isimmediate that Pr[Colli, j] = 1/N for any distinct i, j. Further-more, Coll =

Wi – j Colli, j and so

Pr½Coll� ¼ Pr_i–j

Colli;j

" #6

Xi–j

Pr½Colli;j� ¼q2

� �� 1N

6q2

2N: �

Theorem 1. Let G be a represent group and let D be a uni-formly distributed dictionary of size jDj. Let IA be the our pro-posed authentication protocol depicted in Fig. 2. Let A be anadversary against the semantic security within a time boundt, with less than qsend Send-queries and qexe Execution-queries,and, making less than qh random oracle queries. Then we have

Adv IA;DðAÞ 62qsend

jDj þ 2qhAdvcdhG ðt þ ðqsend þ qexe þ 1ÞsGÞ

þ 2qsend

pþ q2

h þ ðqsend þ qexeÞ2

p; ð1Þ

where sG denotes the exponentiation computational time in G.

Proof. Our proof defines a sequence of hybrid experi-ments, starting with the real attack Exp0 and ending in anexperiment Exp4 in which the adversary has no advantage.For each experiment Expi, we define an event Succi corre-sponding to the case in which the adversary correctlyguesses the bit b involved in the Test-query. At the end ofthe experiments, we measure the probability, Di = Pr[Suc-ci+1] � Pr[Succi], between Expi+1 and Expi for 0 6 i 6 3. Byusing each difference of probability, we finally get theresult of Theorem 1.

Experiment Exp0. This experiment corresponds to thereal attack, in the random oracle model [16]. By definition,we have Adv IA;DðAÞ ¼ 2Pr½Succ0� � 1. Therefore

Adv IA;DðAÞ ¼ 2Pr½Succ4� � 1þ 2ðPr½Succ0� � Pr½Succ4�Þ

6 2Pr½Succ4� � 1þ 2X3

i¼0

Di: ð2Þ

Experiment Exp1. In this experiment, we simulate therandom oracles (h, but also an additional random oracleh0 that will appear in the experiment Exp4) as usual bymaintaining hash lists Kh and Kh0 . The Execute, Reveal, Send,Corrupt and Test oracles are also simulated as in the realattack. One can easily see that this experiment is perfectlyindistinguishable from the real experiment. Hence,

D0 ¼ 0: ð3Þ

– On a hash query h(q) (resp. h0(q)) for which there existsa record (q, r) appears in Kh (resp. Kh0 ), return r. Other-wise, choose an element r 2 Z�p, add the record (q, r) tothe list Kh (resp. Kh0 ), and return r.

– On a query Send(Mi, start), assuming Mi is in the correctstate, we proceed as described in Section 5.2 and thequery is answered with nM, A, SID, V1, IDH.

T. Zhou, J. Xu / Computer Networks 55 (2011) 205–213 211

– On a query Send(Fi (nM, A, SID, V1, IDH)), assuming Fi is inthe correct state, we proceed as described in Section 5.2and the query is answered with nM, A, SID, V1, nF, IDF, S1.

– On a query Send(Hi (nM, A, SID, V1, nF, IDF, S1)), assumingHi is in the correct state, we proceed as described in Sec-tion 5.2 and the query is answered with K1, V2, S2.

– On a query Send(Fi (K1, V2, S2)), assuming Fi is in the cor-rect state, we proceed as described in Section 5.2, thequery is answered with IDF, nF, V2.

– On a query Reveal(Pi), we proceed as follows: If theinstance P has accepted, the query is answered withthe session key SK.

– On a query Execute(Mi, Fj, Hk), we proceed using the sim-ulation of the Send-query as follows:

ðnM;A;SID;V1; IDHÞ SendðMi;startÞðnM;A;SID;V1;nF ; IDF ;S1Þ SendðFjðnM;A;SID;V1; IDHÞÞðK1;V2;S2Þ SendðHkðnM;A;SID;V1;nF ; IDF ;S1ÞÞðIDF ;nF ;V2Þ SendðFjðK1;V2;S2ÞÞ

the query is answered with the transcript ((nM, A, SID, V1,IDH), (nM, A, SID, V1, nF, IDF, S1) (K1, V2, S2) (IDF, nF, V2)).– On a query Test(Pi), we proceed as follows: get SK from

Reveal(Pi) and flip a coin b. If b = 1, we return the valueof the session key SK, otherwise we return a randomvalue with the same length.

Experiment Exp2. In this experiment, we simulate alloracles as in experiment Exp1, except that we halt allexecutions in which a collision occurs in the transcript((nM, A, SID, V1, IDH) (nM, A, SID, V1, nF, IDF, S1) (K1, V2, S2) (nF,V2)). According to Lemma 1, the probability of collisions inthe output of the h oracle is at most q2

h=ð2pÞ. Similarly, theprobability of collisions in the transcripts is at most(qsend + qexe)2/(2p), since A, nM and nF was simulated andthus chosen uniformly at random. Consequently,

D1 6q2

h þ ðqsend þ qexeÞ2

2p: ð4Þ

Experiment Exp3. In this experiment, we abort the exe-cutions wherein the adversary may have been lucky inguessing the authentication values V1, SID, V2, S1 and S2

(that is, without making the corresponding hash query).The experiments Exp3 and Exp2 are indistinguishableunless the participants rejects a valid authentication value:

D2 6qsend

p: ð5Þ

Experiment Exp4. In this experiment, we do not com-pute the session key using the oracle h, but using the pri-vate oracle h0 so that the value V1, V2 and SK arecompletely independent from h, A and B. More precisely,in the Exexcute queries, one gets V1 = h0(C), V2 = h0(nMkIDF)and SK = h0(IDMknMkIDF knF). The experiments Exp4 andExp3 are indistinguishable unless the following eventAskH4 occurs: the adversary A queries the hash functionh on CkD, DknMkIDF or DkIDMknMkIDFknF. In addition, what-ever the bit b involved in the Test-query, the answer is ran-dom, and independent for all the sessions. Therefore,

D3 6 Pr½AskH4�; ð6Þ

Pr½Succ4� ¼ 1=2: ð7Þ

To compute experiment Exp4, we simulate the execu-tions using the random self-reducibility of the Diffie-Hell-man problem, given one CDH instance (ga, gb). We do notneed to know the values of a and b, since the value D areno longer needed to compute the session key. Rememberthat AskH4 means that the adversary A had queried therandom oracle h on CkZ, ZknMkIDF or ZkIDMknMkIDFknF,where Z = CDH(ga, gb).

In addition, if the Corrupt(M,2) query has been made, itimplies that the password-corrupt query (Corrupt(M,1))has not been made. For every transcript, there is only onepassword which can be tested by the adversaryA : qsend=jDj. We can thus conclude with

Pr½AskH4� 6qsend

jDj þ qhAdvcdhG ðt þ ðqsend þ qexe þ 1Þ � sGÞ: ð8Þ

Consequently from (2)–(8), we get the result of thetheorem. h

Theorem 2. Let G be a group of primer order p. The proposedauthentication protocol can provide user anonymity in therandom oracle model assuming the DDH assumptions holdsin G.

Proof. Suppose that A is an adversary breaking the ano-nymity of proposed authentication protocol with advan-tage AdvanonðAÞ. We construct an algorithm B that, byinteracting with the adversary A, solves the DDH problemwith the same advantage.

Algorithm B is given a random instance (ga, gb, Z) ofDDH problem in G, where Z is either gab or a randomelement of G. The objective of B is to decide whetherZ = gab. Algorithm B does so by interacting with theadversary A as follows:

Registration simulation. B needs to issue smart cardswhich contain the same value B and different value u ofeach user. B sets B = gb and computes u = h(IDMkb0) � PWM,where b02RZ�p.

Oracle query simulation. There are two difficulties forB to simulate all the oracle queries. The first one is thevalue D, which is used to compute the value SID, V1, V2 andSK. Since B randomly chooses a0 2 Z�p and sets A ¼ ga0 , it’seasy to compute D ¼ Ba0 . The second one is the valueh(IDMkb) in V1. B cannot compute the value b, but noticethat in the registration phase, the value is computed ash(IDMkb0). So B is able to check validation of the value V1.

Challenge simulation. When receiving the identity ID0

and ID1 chosen by A; B randomly selects a bit c 2 {0, 1},two nonces nM,nF, sets A = ga and computes the challengetranscript ((nM, A, SID, V1, IDH) (nM, A, SID, V1, nF, IDF, S1) (K1,V2, S2) (nF, V2)), where SID = IDc � h(ZknM), V1 = h(CkZ), andSK = h(ZkIDcknMkIDFknF). B claims that Z = gab to answer theDDH challenge if and only if A’s guess bit c0 = c.

Success probability. In the real protocol, the computa-tion of SID, V1 and SK relies on the value gab. In thesimulated protocol, the value gab is replaced by Z. So it’sobvious that if and only if Z = gab, the transcript and the

Table 2Performance comparisons.

Performance metrics Our scheme Scheme in [8] Scheme in [9]

Modular exponentiation M 2 Pre N/A N/AF N/A N/A N/AH 1 N/A N/A

Hash operation M 3 4 7F 2 4 3H 5 5 8

XOR operation M 2 3 5F 1 1 2H 2 3 3

Symmetric cryptographic operation M N/A 2 N/AF N/A 2 N/AH N/A 1 N/A

Asymmetric cryptographic operation M N/A N/A N/AF N/A 2 N/AH N/A 2 N/A

Communication rounds 2 2 4

Note: ‘‘Pre” denotes Pre-computed operation.

212 T. Zhou, J. Xu / Computer Networks 55 (2011) 205–213

session key are well formed. Hence, B has the sameadvantage to solve the DDH challenge as that ofA breakingthe anonymity of our proposed protocol.

Time complexity. In the simulation, B’s overhead isdominated by computing (A, B, D). Other values involvingonly hash and XOR operations can be computed inconstant time. Computing (A, B, D) requires Oð1Þ expon-entiations in G. Let sExp denote the time complexity tocompute one exponentiation without differentiation ofexponentiations in different groups, and sA denote thetime complexity for adversary A to break the useranonymity of our proposed scheme. Hence, the timecomplexity of B is sB ¼ sA þ OðsExpÞ. h

6.2. Performance analysis

In this subsection, we evaluate the performance of ourprotocol and compare the computational efficiency in-volved in Phase II of our protocol with Lee et al.’s [8] andChang et al.’s [9] in Table 2. Particularly, we focus on thenumbers of operations that a mobile user M needs to per-form (marked in bold font), because mobile devices usuallyare not as powerful as desktop computers and thus are notsuitable for computation intensive tasks.

Table 2 shows that, for the mobile user M, Phase II ofour protocol only introduces two extra modular exponen-tiations, but the modular exponentiations can both bepre-computed off-line, even before the user inputs hisidentity and password. Therefore, for a mobile device, thecomputation complexity of our protocol is similar to thatof [9] and more efficient than that of [8].

Another advantage of our protocol is its low communi-cation complexity. Considering the wireless medium, itfaces much more problems and constraints, such as radiopropagation effects, bandwidth and limited battery life,than wired medium. Sometimes it’s more important to re-duce the communication cost. Our Phase II also takes onlyone round of message exchange between M and F, as wellas between F and H (recall Fig. 2), while Chang et al.’sscheme [9] takes two rounds of message exchange

between M and F, as well as between F and H (recallFig. 1). Therefore, the communication complexity of ourprotocol is similar to that of [8] and more efficient thanthat of [9]. In one word, our protocol integrates the compu-tation complexity advantage in [9] and the communicationcomplexity advantage in [8].

7. Conclusions

In this paper, we provided a formal study of anonymousauthentication protocol for roaming service in globalmobility networks. We first formally described capabilitiesof the adversary and defined the semantic security of thesession key and the anonymity of mobile user’s identity.The adversary power considered here is more strong andcomprehensive. We also demonstrated certain deficienciesfound in wireless anonymous authentication scheme [9]and presented a new mutual authentication protocol forroaming service. In addition, we strictly proved that ourprotocol satisfied the definition of semantic security andanonymity. The proposed protocol is more suitable for mo-bile devices in global mobility networks due to its accept-able computation cost, high level security and lowerinteraction rounds.

Acknowledgements

This work was supported by the National Grand Funda-mental Research (973) Program of China under Grant2007CB311202, and the National Natural Science Founda-tion of China (NSFC) under Grant 60873197.

References

[1] S. Suzukiz, K. Nakada, An authentication techinque based ondistributed security management for the global mobility network,IEEE Jounal Selected Areas in Communictions 15 (8) (1997) 1608–1617.

[2] L. Buttyan, C. Gbaguidi, S. Staamann, U. Wilhelm, Extensions to anauthentication technique proposed for the global mobility network,IEEE Transactions on Communications 48 (3) (2000) 373–376.

T. Zhou, J. Xu / Computer Networks 55 (2011) 205–213 213

[3] Z.J. Tzeng, W.G. Tzeng, Authentication of mobile users in thirdgeneration mobile systems, Wireless Personal Communications 16(1) (2001) 35–50.

[4] K.F. Hwang, C.C. Chang, A self-encryption mechanism forauthentication of roaming and teleconference services, IEEETransactions on Wireless Communications 2 (2) (2003) 400–407.

[5] J. Zhu, J. Ma, A new authentication scheme with anonymity forwireless environments, IEEE Transactions on Consumer Electronics50 (1) (2004) 230–234.

[6] C.H. Lin, C.Y. Lee, Cryptanalysis of a new authentication scheme withanonymity for wireless environments, in: Proceedings of the SecondInternational Conference on Advances in Mobile Multimedia, Bali,Indonesia, 2004, pp. 339–402.

[7] C.Y. Lee, C.C. Chang, C.H. Lin, User authentication with anonymity forglobal mobility networks, in: Proceedings of IEE Mobility Conference2005: The Second Asia Pacific Conference on Mobile Technology,Applications and Systems, Guangzhou, China, 2005, pp. 1–5.

[8] C.C. Lee, M.S. Hwang, I.E. Liao, Security enhancement on a newauthentication scheme with anonymity for wireless environments,IEEE Transactions on Industrial Electronics 53 (5) (2006) 1683–1687.

[9] C.C. Chang, C.Y. Lee, Y.C. Chiu, Enhanced authentication scheme withanonymity for roaming service in global mobility networks,Computer Communications 32 (2009) 611–618.

[10] M. Bellare, D. Pointcheval, P. Rogaway, Authenticated key exchangesecure against dictionary attacks, in: Proceedings of Advances inCryptology (EUROCRYPT 2000), 2000, pp. 139–155.

[11] M. Bellare, P. Rogaway, Provably secure session key distribution-thethree party case, in: ACM STOC’95, 1995, Las Vegas, Nevada, USA, pp.57–66.

[12] J. Xu, W.T. Zhu, D.G. Feng, An improved smart card based passwordauthentication scheme with provable security, Computer Standards& Interfaces 4 (2008), doi:10.1016/j.csi.2008.09.006.

[13] C. Hazay, Y. Lidell, Constructions of truely practical secure protocolsusing standard smartcards, in: ACM CCS’08, Alexandria, Virginia,USA, 2008, pp. 491–500.

[14] G.M. Yang, D.S. Wong, X.T. Deng, Anonymous and authenticated keyexchange for roaming networks, IEEE Transactions on WirelessCommunications 6 (9) (2007) 3461–3472.

[15] C.M. Tang, D.O. Wu, Mobile privacy in wireless networks-revisited,IEEE Transactions on Wireless Communications 7 (3) (2008) 1035–1042.

[16] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm fordesigning efficient protocols, in: ACM CCS’93, 1993, pp. 62–73.

Tao Zhou received his B.S. degree fromHuazhong University of Science and Technol-ogy. Currently, he is pursuing his M.E. degreein Graduate University of Chinese Academy ofSciences. His research interests include net-work security and security protocol.

Jing Xu received her Ph.D. degree fromAcademy of Mathematics and Systems Sci-ence, Chinese Academy of Sciences. She iscurrently an associate research professor withthe Institute of Software, Chinese Academy ofSciences. Her research interests include com-puter networking and information security.