This article has been accepted for inclusion in a future issue of this journal.

Content is final as presented, with the exception of pagination.

IEEE SYSTEMS JOURNAL

Efficient Privacy-Aware Authentication Scheme

for Mobile Cloud Computing Services
Debiao He, Neeraj Kumar, Muhammad Khurram Khan, Lina Wang, and Jian Shen

AbstractWith the exponential increase of the mobile devices

and the fast development of cloud computing, a new computing
paradigm called mobile cloud computing (MCC) is put forward to
solve the limitation of the mobile devices storage, communication,
and computation. Through mobile devices, users can enjoy various cloud computing services during their mobility. However, it is
difficult to ensure security and protect privacy due to the openness of wireless communication in the new computing paradigm.
Recently, Tsai and Lo proposed a privacy-aware authentication
(PAA) scheme to solve the identification problem in MCC services
and proved that their scheme was able to resist many kinds of existing attacks. Unfortunately, we found that Tsai and Los scheme
cannot resist the service provider impersonation attack, i.e., an adversary can impersonate the service provider to the user. Also, the
adversary can extract the users real identity during executing the
service provider impersonation attack. To address the above problems, in this paper, we construct a new PAA scheme for MCC services by using an identity-based signature scheme. Security analysis
shows that the proposed PAA scheme is able to address the serious security problems existing in Tsai and Los scheme and can
meet security requirements for MCC services. The performance
evaluation shows that the proposed PAA scheme has less computation and communication costs compared with Tsai and Los PAA
scheme.
Index TermsAnonymity, authentication scheme, mobile cloud
computing (MCC), privacy, provable security.

Manuscript received March 12, 2016; revised August 2, 2016; accepted

November 27, 2016. This work and this Prolific Research Group (PRG-1436-16)
was supported by the Deanship of Scientific Research at King Saud University.
The work of D. He was supported by the National Natural Science Foundation
of China (No. 61501333 and No. 61572379), by the Natural Science Foundation
of Hubei Province of China (No. 2015CFB257), and by the Guangxi Key Laboratory of Cryptography and Information Security (No. GCIS201608). The work
of L. Wang was supported in part by the National Natural Science Foundation
of China under Grant U1536204 and in part by the National High-tech R&D
Program of China (863 Program) under Grant 2015AA016004.
D. He is with the State Key Labortaory of Software Engineering, Computer
School, Wuhan University, Wuhan 430072, China and also with the Guangxi
Key Laboratory of Cryptography and Information Security, Guilin University
of Electronic Technology, Guilin 541000, China (e-mail: hedebiao@163.com).
N. Kumar is with the Department of Computer Science and Engineering,
Thapar University, Patiala 147004, India (e-mail: nehra04@yahoo.co.in).
M. K. Khan is with the Center of Excellence in Information Assurance, King
Saud University, Riyadh 12372, Saudi Arabia (e-mail: mkhurram@ksu.edu.sa).
L. Wang is with the Key Laboratory of Aerospace Information Security
and Trusted Computing of Ministry of Education, Computer School, Wuhan
University, Wuhan 430072, China (e-mail: lnawang@163.com).
J. Shen is with the School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing 210000, China (e-mail:
s_shenjian@126.com).
Digital Object Identifier 10.1109/JSYST.2016.2633809

Fig. 1.

Typical architecture of MCC services.

I. INTRODUCTION
UE to the deployment of wireless communication technologies and the popularity of mobile devices (such as
laptop, intelligent mobile phone, and tablet PC), we can access
the Internet services during mobility. This brings much convenience to our daily life as we can enjoy many kinds of network
services anywhere and anytime. With users increasing demand
of high services quality, a huge amount of data should be processed in time by his/her mobile device. However, the mobile
devices resources (such as storage, computation, and communication capabilities) are limited and they cannot satisfy users
requirements [1][3]. This weakness has become a performance
bottleneck of various applications based on mobile devices.
In the past several years, the cloud computing developed
rapidly as one of the powerful network technologies. Through
the resource visualization technology, the cloud computing is
able to provide convenient and cheap services to users in a
pay-as-you-go mode [4], [5]. For example, we can get some
cloud storage services freely from many famous cloud service providers (CSPs) such as Baidu and Google. A new
digital ecosystem called the mobile cloud computing (MCC)
emerged recently, where the mobile computing is integrated with
cloud computing platforms. With this integration, the resourceconstrained problems of mobile devices could be addressed
successfully. With the increase of MCC services types, the distributed MCC is also employed in practical applications, where
many kinds of CSPs are able to provide different types of cloud
services to users [6], [7]. A typical architecture of MCC services is illustrated in Fig. 1.

1937-9234 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2

Because all the messages are transmitted by using the wireless technology in MCC services environment, the adversary
could control the communication channel easily, i.e., his/her is
able to intercept, delay, and modify transmitted message. Then,
the MCC services environment is more vulnerable to various
types of attacks than traditional cloud computing services environment. To ensure that only the legal user can access MCC
services and stop the adversary accessing MCC services, new
security mechanisms should be developed for the environment.
The privacy-aware authentication (PAA) scheme is very crucial for address security problem in MCC services environment
because it is able to identify the participants identities and protect their privacy. Many PAA schemes have been proposed in
the past several years. However, most of them are not suitable
for MCC services because they suffer serious security problem
or have unsatisfactory performance. Therefore, it is necessary
to designed new PAA schemes to ensure security and preserve
privacy in MCC services environment.
A. Related Work
To achieve mutual authentication (MA) in open networks,
Lamport [8] proposed the first authentication scheme for the
single server environment. However, Lamports scheme is not
able to resist the replay attack and the impersonation attack.
In order to improve security, several password-based authentication schemes are proposed [9][13]. Compared with Lamports scheme, those schemes have many advantages. However,
each server in those schemes has to maintain a verifier table to
achieve the MA. The adversary may impersonate the user or the
server when he/she steals verifier tables. Besides, those above
schemes suffer from the denial of service attack if the adversary
modifies the verifier table maliciously. To remove the serious
weaknesses, it is necessary to design authentication schemes
without any verifier table.
Hwang and Li [14] designed the first authentication scheme
by using both the password and the smart card. Compared with
previous authentication schemes [9][11], [15], [16], no verifier table is needed in their scheme. Therefore, Hwang and Lis
scheme has better security. To get better performance, Sun [17]
proposed an efficient scheme based on Hwang and Lis work.
However, neither Hwang and Lis scheme [14] nor Suns scheme
[17] achieve the MA. To achieve better security and performance, many authentication schemes [18][25] using both the
password and the smart card were proposed in the last decades.
However, those schemes cannot be directly used in MCC services environment because many CSP exist in MCC services
environment and the user has to register in every CSP repeatedly. The user not only has to put extra efforts in remembering
many passwords and identities, but also wastes a lot of time to
execute repeated registration.
To solve the two weaknesses, the concept of the authentication scheme for multiserver environment was introduced recently, where the user just needs to register in the registration
center. Li et al. [26] proposed the first authentication scheme
for multiserver environment. However, Lin et al. [27] pointed
out that the performance of their scheme is not acceptable because complicated neural networks are used to implement the
MA. To improve performance, Lin et al. [27] designed a new

IEEE SYSTEMS JOURNAL

scheme based on the discrete logarithm problem. However, Cao

and Zhong [28] pointed out that Lin et al.s scheme [27] was
insecure against the impersonation attack. To improve performance further, a lot of such schemes [29][36] based on the
symmetric cryptography were proposed to enhance security or
performance.
Although above schemes, using the symmetric cryptosystem,
have much better performance than previous schemes, but their
security level is not satisfactory. For example, they cannot support the perfect forward secrecy. To enhance security and to
improve performance of these schemes, several authentication
schemes for multiserver environments using the elliptic curve
cryptography (ECC) were proposed for practical applications.
Yoon and Yoo [37] proposed such a scheme. However, Yoon
and Yoos scheme is not secure at all because a malicious user
is able to impersonate another user to access services [38]. To
enhance security, He and Wang [39] presented an improved
scheme using ECC. Unfortunately, Odelu et al. [40] found that
He and Wangs scheme was insecure against two kinds of attacks and was not able to provide user anonymity. So, Odelu
et al. [40] also presented a security enhanced scheme to address
those problems.
The above schemes [37], [39], [40] have some advantages
than previous schemes. However, they are not suitable for MCC
services because the registration center should always be online
to implement MA and it is very expensive to establish a trusted
online registration center. In order to address the problem, Tsai
and Lo [41] proposed a PAA scheme for MCC services. Compared with previous schemes [37], [39], [40], Tsai and Los
scheme can protect users privacy and no online registration
center is needed to achieve MA. Tsai and Lo [41] also proved
that their PAA scheme is able to resist a lot of attacks. In this
paper, we present a concrete attack to show that their PAA
scheme is insecure against the service provider impersonation
attack. Besides, we also show the adversary can get the users
real identity during the execution of the above attack.
B. Our Contribution
In this paper, we present the security analysis of Tsai and Los
PAA scheme [41]. Through a concrete attack, we point that Tsai
and Los PAA scheme is insecure against the service provider
impersonation attack. To enhance security, we construct a new
PAA scheme for the MCC services by using an identity-based
signature scheme [42]. The major contributions of this paper are
summarized as follows.
1) First, we review and analyze Tsai and Los PAA scheme
for the MCC services. Through a concrete attack, we show
that their scheme is insecure against the service provider
impersonation attack. We also show that their PAA scheme
is not able to support user anonymity.
2) Second, we propose a new PAA scheme for the MCC services based on an identity-based signature scheme [42].
Our proposed PAA scheme overcomes the weakness existing in Tsai and Los scheme for the MCC services.
3) Finally, we provide a detailed security and performance
analysis to show that the proposed PAA scheme not only
meets requirements in the MCC services, but also has
better performance than the Tsai and Los PAA scheme.

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
HE et al.: EFFICIENT PAA SCHEME FOR MCC SERVICES

Fig. 2.

scheme for MCC services: the trusted smart card generator

SCG, a user Ui , and a CSPj .
SCG: It is trusted third party and is responsible for generating
the master key and the system parameters. It also generates the
private keys of Ui and CSPj according to their identities.
Ui : He/she is a user of the system. Using the private key
generated by SCG and a mobile device with limited resources,
he/she could pass CSPj s authentication and access some MCC
services.
CSPj : It is powerful CSP and could provide some specific
MCC services. Using the private key and system parameters
generated by SCG, CSPj is able to check the legality of Ui , and
makes Ui confirm that it is a legal CSP.

Network model.

C. Organization of This Paper

This paper is organized as follows. In Section II, some preliminaries are presented. In Section III, we review Tsai and Los
PAA scheme briefly and show its serious security weaknesses. In
Section IV, we present the details of our proposed PAA scheme
for MCC services. In Sections V and VI, the security and performance analysis of our proposed PAA scheme are presented.
At last, we present some concluding remarks in Section VII.
II. PRELIMINARIES
A. Bilinear Pairing
Let G1 and G2 be two groups with the same order q, where
q is a large prime number. A rational map e : G1 G1 G2
is called a bilinear paring when it is able to meet the below
conditions.
1) Bilinear: Give Q, R G1 and two elements a, b Zq , the
equation e(a Q, b R) = e(Q, R)ab holds.
2) Nondegeneracy: An element P G1 exists such that
e(P, P ) = 1G 2 .
3) Computability: Given Q, R G1 , e(a Q, b R) can be
computed efficiently.
Research shows that the below mathematical problems are
difficult, i.e., there is no polynomial algorithm that can solve
them in polynomial time. They will be used in security analysis
of our proposed PAA scheme.
Collusion Attack Algorithm With k Traitor (k-CAA) Prob1

lem [43]: Given P, s P G1 , 1 , 2 , . . . , k Zq , s+

1
1
1
1
P, s+ 2 P, . . . , s+ k P , we want to compute s+ P for
an element
/ {1 , 2 , . . . , k }.
Modified Bilinear Inverse DiffieHellman With k Values (k-mBIDH) Problem [43]: Given P, s P, t P G1 ,
1
1
1
1 , 2 , . . . , k Zq , s+
P, s+
P, . . . , s+
P , we
1
2
k
1

want to compute e(P, P ) s + t for an element

/ {1 , 2 , . . . ,
k }.
Computational DiffieHellman (CDH) Problem [44]: Given
g x , g y G2 , we want to compute g xy G2 , where x, y are two
unknown elements in Zq .
B. Network Model
A typical network model of the PAA scheme for MCC services is shown in Fig. 2. There are three participants in a PAA

C. Security Requirements
Due to openness of the wireless network, the adversary can
control the communication channels between the CSP and the
user. Therefore, the PAA scheme for MCC services suffers from
many types of attacks. To guarantee security, a PAA scheme for
MCC services should meet the below specified requirements
[37], [39][41].
Mutual authentication: To ensure only legal users could access MCC services, a PAA scheme should be able to provide
MA between Ui and CSPj to ensure their legality.
User anonymity: To preserver privacy, a PAA scheme for
MCC services should be able to provide user anonymity, i.e., the
adversaries including malicious users and CSPs cannot extract
the users real identity through intercepted messages.
Untraceability: The user anonymity is not robust enough for
protecting the users privacy because the adversary may trace
the users action through tracking some constant value sent by
the user. To achieve satisfactory security level, a PAA scheme
for MCC services should be able to provide untraceability.
Key establishment: To ensure secure communication after
MA, a PAA scheme for MCC services should be able to provide
key establishment, i.e., a session key should be produced in the
process of MA to encrypt messages in future communication.
Known session key security: To ensure secure communication
in current session, the adversary should not be able to extract
the session key generated in the current session even if he/she
could get some session keys produced in previous sessions.
Perfect forward secrecy: To guarantee the confidentiality of
messages transmitted in the system, a PAA scheme for MCC
services should be able to provide perfect forward secrecy, i.e.,
the adversary cannot get the session key in a previous session
even if he/she can both private keys of the user and the CSP.
No verifier table: To avoid management problem of verifier
table and some attacks related to verifier table, a PAA scheme
for MCC services should be able to provide no verifier table,
i.e., no verifier table is needed to achieve MA.
No clock synchronization: To avoid complicated clock synchronization problem, a PAA scheme for MCC services should
be able to provide no clock synchronization.
Resistance of known attacks: To withstand various attacks
existing in MCC services environment, a PAA scheme for MCC
services should be able to resistance of known attacks.

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4

IEEE SYSTEMS JOURNAL

III. REVIEW AND ANALYSIS OF TSAI AND LOS PAA SCHEME

A. Review of Tsai and Los PAA Scheme
There are three participants in Tsai and Los PAA scheme,
i.e., the trusted smart card generator SCG, a user Ui , and a
CSPj . Their scheme consists of three phases: the system setup
phase, the registration phase, and the authentication phase. The
processes of these phases are presented as below.
1) System setup phase
SCG selects the system parameters by executing the following processes.
a) SCG selects two groups G1 and G2 with the same
prime order q. SCG also selects a generator P of
G1 .
b) SCG chooses a bilinear pairing e : G1 G1 G2
and calculates g = e(P, P ).
c) SCG selects a random nonce s Zq as the master
key and computes the public key Ppub = s P .
d) SCG selects five secure hash functions h1 : {0, 1}
Zq , h2 : G2 {0, 1} , h3 : {0, 1} Zq , h4 :
{0, 1} Zq , and H : {0, 1} G1 .
e) SCG publishes params = {q, G1 , G2 , e, h1 , h2 , h3 ,
h4 , H, P, g} and saves s secure.
2) Registration phase
In this phase, Ui and CSPj registers in SCG and get their
private keys through executing the following steps.
Ui registers in SCG through the following steps.
a) Ui sends his/her identity IDU i to SCG through a
secure channel.
b) SCG uses its master key to compute SU i =
1
P and sends SU i to Ui through a
s + h1 (IDU i )
secure channel.
c) Ui computes EU i = SU i H(pwU i ||fU i ) and
stores EU i in his/her mobile device, where pwU i
and fU i are Ui s password and fingerprint, respectively.
CSPj registers in SCG through the following steps.
a) CSPj sends its identity IDCSP j to SCG through a
secure channel.
b) SCG uses its master key to compute SCSP j =
1
P and sends SCSP j to CSPj
s + h1 (IDCSP j )
through a secure channel.
c) CSPj stores SCSP j in the secure memory.
3) Authentication phase
As shown in Fig. 3, Ui and CSPj authenticate each other
and produce a session key through executing the following
processes.
a) Ui inputs his/her password pwU i and fingerprint fU i ,
computes SU i = EU i H(pwU i ||fU i ), and sends a
service request to CSPj .
b) CSPj selects a random nonce a Zq , calculates
A = g a , and sends {A} to Ui .
c) Ui selects a random nonce b Zq , computes
the session key Kij = h2 (Ab ), K2 = b Ppub +
h1 (IDS P j ) b P , W = b Ppub + h1 (IDU i ) b

Fig. 3.

Tsai and Los PAA scheme.

1
SU ,
b + h3 (IDU i ||A||IDS P j ||W ||Kij ) i
and Ci = Kij (IDU i ||i ||W ). Ui sends {K2 , Ci }
to CSPj .
d) CSPj computes the session key Kji = h2 (e(K2 ,
SCSP j )a ) and (IDi ||i ||W ) = Kji Ci . CSPj
checks whether the equation e(i , W +
holds,
h3 (IDU i ||A||IDCSP j , , Kji ) QU i ) = g
where QU i = Ppub + h1 (IDU i ) P . If not, SPj
terminates the service request; otherwise, CSPj
computes Di = h4 (Kji ||A||IDU i ||IDS P j ) and
sends {Di } to Ui .
e) Ui checks whether Di and h4 (Kij ||A||IDU i ||
IDCSP j ) are equal. If not, Ui terminates the service request; otherwise, Ui confirm that CSPj is a
legal CSP.
P,

i =

B. Analysis of Tsai and Los PAA Scheme

Due to the openness of the environment of MCC services, the adversary could control the communication between Ui and CSPj completely. Tsai and Lo proved that their
PAA scheme is able to resist many kinds of attacks. In this
section, we demonstrate that their PAA scheme is insecure
against the service provider impersonation attack. The adversary could impersonation CSPj to Ui by executing the following
processes.
1) Ui inputs his/her password pwU i and fingerprint fU i , computes SU i = EU i H(pwU i , fU i ), and sends a service
request to CSPj .
2) The adversary intercepts the service request, selects
a random nonce a Zq , computes A = e(Ppub + h1
(IDCSP j ) P, P )a and sends {A} to Ui .
3) Ui selects a random nonce b Zq , computes the session key Kij = h2 (Ab ), K2 = b Ppub + h1 (IDCSP j )
i =
b P ),
W = b Ppub + h1 (IDU i ) b P ,
1
S
,
and
C
=
K
U
i
ij
i
b+h 3 (IDU ||A ||IDC S P ||W ||K i j )
i

(IDU i ||i ||W ). Ui sends {K2 , Ci } to CSPj .

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
HE et al.: EFFICIENT PAA SCHEME FOR MCC SERVICES

4) The adversary intercepts {K2 , Ci }, computes the session

key Kji = H2 (e(K2 , P )a ), (IDU i ||i ||W ) = Kji Ci ,
Di = h4 (Kji ||A||IDU i ||IDCSP j ) and sends {Di } to Ui .
Due to Z = e(Ppub + h1 (IDCSP j ) P, P )a , Kij = h2 (Ab ),
Kji = H2 (e(K2 , P )a ), and Di = h4 (Kji , A, IDU i , IDCSP j ),
we get the following equations:
Kij = h2 (Ab )
= h2 (e(Ppub + h1 (IDCSP j ) P, P )ab )
= h2 (e(b Ppub + h1 (IDCSP j ) b P, P )a )

(1)

= H2 (e(K2 , P ) )
= Kji
and
Di = h4 (Kji , A, IDU i , IDCSP j )
= h4 (Kij , A, IDU i , IDCSP j ).

(2)

Then, the message {Di } could pass Ui s verification and the

adversary impersonate CSPj to Ui successfully. Therefore, Tsai
and Los PAS scheme is insecure against the service provider
impersonation attack. Besides, the adversary is able to extract Ui s real identity by computing (IDU i , i , W ) = Kji Ci .
Therefore, Tsai and Los scheme is not able to provide user
anonymity.
IV. OUR PROPOSED PAA SCHEME
To address serious security problems in Tsai and Los PAA
scheme and improve performance, we propose a new PAA
scheme for MCC services by using an identity-based signatures scheme [42]. The three phases of our PAA scheme are
presented as follows.
1) System setup phase
SCG selects its private and system parameters by executing the following processes.
a) SCG selects two groups G1 and G2 with the same
prime order q. SCG also selects a generator P of
G1 .
b) SCG chooses a bilinear pairing e : G1 G1 G2
and calculates g = e(P, P ).
c) SCG selects a random nonce s Zq as the master
key and computes the public key Ppub = s P .
d) SCG selects five secure hash functions h1 : {0, 1}
Zq , h2 : G2 {0, 1} , h3 : {0, 1} Zq , h4 :
{0, 1} Zq , and H : {0, 1} G1 .
e) SCG publishes params = {q, G1 , G2 , e, h1 , h2 , h3 ,
h4 , H, P, g} and saves s secure.
2) Registration phase
In this phase, Ui and CSPj registers in SCG and get their
private keys through running the following steps.
Ui registers in SCG through the following steps.
a) Ui sends his/her identity IDU i to SCG using a secure
channel.

Fig. 4.

Our proposed PAA scheme.

b) SCG uses its master key to compute SU i =

1
P and sends SU i to Ui using a ses + h1 (IDU i )
cure channel.
c) Ui computes EU i = SU i H(IDU i ||pwU i ) and
stores it in his/her mobile device, where pwU i is
Ui s password.
CSPj registers in SCG through the following steps.
a) CSPj sends its identity IDCSP j to SCG using a
secure channel.
b) SCG uses its master key to compute SCSP j =
1
P and sends SCSP j to Ui , CSPj
s + h1 (IDCSP j )
using a secure channel.
c) CSPj stores SCSP j in the secure memory.
3) Authentication phase
As shown in Fig. 4, Ui and CSPj authenticate each other
and generate a session key using the following processes.
a) Ui inputs his/her password pwU i . The mobile device
computes SU i = EU i H(IDU i ||pwU i ) and sends
a service request to CSPj .
b) CSPj selects a random nonce a Zq , computes
A = a P , and sends {A} to Ui .
c) Ui selects two random nonces b, r Zq , computes B = g b , the session key Kij = h2 (A||B||Ab ),
K2 = b (Ppub + h1 (IDCSP j ) P ), R = g r , U i =
h3 (IDU i ||IDCSP j ||A||B||Kij ||K2 ||R), U i = (r +
U i )SU i , and Ci = h4 (B) (IDU i ||U i ||U i ).
Then, Ui sends {K2 , Ci } to CSPj .
d) CSPj computes B = e(K2 , SCSP j ), the session
key Kji = h2 (A||B||B a ), (IDU i ||U i ||i U i ) = h4
(B) C, and R = e(U i , Ppub + h1 (IDU i ) P )
g U i . CSPj verifies U i = h3 (IDU i ||IDCSP j ||A
||B||Kij ||K2 ||R) holds. If not, CSPj rejects the
service request; otherwise, CSPj computes Di =
h4 (IDCSP j ||IDU i ||A||Kji ||K2 ||B) and sends {Di }
to Ui .

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
6

IEEE SYSTEMS JOURNAL

e) Ui checks whether Di and h4 (IDCSP j ||IDU i ||A

||Kij ||K2 ||B) are equal. If not, Ui terminates the
service request; otherwise, Ui confirm that CSPj is
a legal CSP.
1
P, A =
Due to SU i = s+h 1 1(IDU ) P , SCSP j = s+h 1 (ID
CSP )
i

a P , B = g b , Kij = h2 (Ab ), K2 = b (Ppub + h1 (IDCSP j )

P ), R = g r , U i = (r + U i )SU i , and Ci = h4 (B)
(IDU i , U i , U i ), we can get the following three
equations:
e(K2 , SCSP j )

= e b (Ppub + h1 (IDCSP j ) P ),


1
P
s + h1 (IDCSP j )


1
= e b (s P + h1 (IDCSP j ) P,
P
s + h1 (IDCSP j )


1
= e b (s + h1 (IDCSP j )) P,
P
s + h1 (IDCSP j )
= e(P, P )

b(s+h 1 (IDC S P j )) s + h

1
1 ( IDC S P j )

= gb
=B

(3)

e(U i , Ppub + h1 (IDU i ) P ) g U i

= e((r + U i )SU i , Ppub + h1 (IDU i ) P ) g U i


1
P, (s + h1 (IDU i )) P
= e (r + U i )
s + h1 (IDU i )
g U i
= e(P, P )

(r + U i ) s + h

1
1 ( IDU i )

(s+h 1 (IDU i ))

g U i

= g r + U i g U i
= gr
=R

(4)

and
Kji = h2 (A, B, B a )
a

= h2 (A, B, (g b ) )
= h2 (A, B, (g a )b )
= h2 (A, B, Ab )
= Kij

(5)

According to the above three equations, we know that the

correctness of our proposed PAA scheme is proved successfully.
V. SECURITY ANALYSIS
To demonstrate the robustness of our proposed PAA scheme
for MCC services, its security is analyzed in this section. First,
we present a security model for the PAA scheme. Second,
we show that our proposed PAA scheme for MCC services
is provably secure. Third, we demonstrate that our proposed
PAA scheme for MCC services is able to meet security require-

ments presented in Section II. Finally, security comparisons are

presented.
A. Security Model
Based on some previous security models for authentication
scheme [45], [46], we define the security model for the PAA
scheme for MCC services. The security model is used to analyze
the security of our proposed PAA scheme.
Let User and CloudServiceProvider denote the sets of
the user and the CSP separately. Any one in User and
CloudServiceProvider gets the corresponding private key from
the trusted smart card generator SCG. According to the network
model of the PAA scheme for MCC services, a user Ui User
and a CSPj CloudServiceProvider are involved in the execution of a PAA scheme. Let A and be an adversary and
th instance of a participant , respectively, where is Ui or
CSPj . The security of the PAA scheme is defined by using a
game executed between A and a challenger C. In the game, A
can make several kinds of queries and C answers those queries
as follows.
1) hi -query: Upon receiving the query with mi , C verifies
if (mi , ri ) exists in the list Lh i . If so, C returns ri to A;
otherwise, C selects a random element ri Zq , inserts
(mi , ri ) into Lh i , and returns ri to A, where i = 1, 2, 3, 4.
2) H-query: Upon receiving the query with m, C verifies
if (m, R) exists in the list LH . If so, C returns R to A;
otherwise, C selects a random element R G1 , inserts
(m, R) into the list LH , and returns R to A.
3) Create-query: Upon receiving the query with a partition
s identity ID , C generates s private key.
4) Send-query: Upon receiving the query with an instance
and the message m, C runs corresponding steps in the
PAA scheme and returns corresponding response to A.
5) Reveal-query: Upon receiving the query with an instance
, C returns session key involved in to A.
6) Corrupt-query: Upon receiving the query with a partition
s identity ID , C returns s private key to A.
7) Test-query: Upon receiving the query with an instance ,
C flips a coin c {0, 1}. If c = 1, C returns the session
key involved in to A; otherwise, A chooses a random
nonce with the same length of the session key and returns
it to A.
The adversary A is said to be able to violate the MA if he
forges a legal login or a response message. Let EF LM and
EF RM denote the events of forging a legal login message and
a legal response message, respectively. The advantage that the
adversary violates the MA of the PAA scheme is defined as
A
AdvM
(A) = Pr[EF LM ] + Pr[EF RM ].
Definition 1: We say that a PAA scheme for MCC services
A
is MA-secure if the advantage AdvM
(A) is negligible for any
adversary A.
After making the query Test, A outputs his guess c about the
coin c {0, 1}. Let EGC be the event that A guesses c correctly.
The advantage that A can violate authenticated key exchange
(A) =
(AKE) of the PAA scheme, is defined as AdvAKE

|2 Pr[EGC ] 1|.

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
HE et al.: EFFICIENT PAA SCHEME FOR MCC SERVICES

Definition 2: We say that a PAA scheme for MCC services is

(A) is negligible for any adversary A.
AKE-secure if AdvAKE

B. Security Theory
We prove that our proposed PAA scheme for MCC services
is MA-secure and AKE-secure if the k-CAA problem, the kmBIDH problem, and the CDH problem are hard in this section.
Lemma 1: There is no adversary who can forge a legal login
message if the k-CAA problem is difficult.
Proof: Assume that A can outputs a legal login message
{K2 , Ci } with a nonnegligible probability with the probability
at the end of the game. According to the forking lemma [47],
A can output another legal login message {K2 , C  i } with the
probability 2 by selecting a different random oracle h3 .
Due to the legality of the two messages, we get the following
equations:
R = e(U i , Ppub + h1 (IDU i ) P ) g

U i

(7)


According to the above two equations, we get the following
equations:
e(U i  U i , Ppub + h1 (IDU i ) P )
=

e(U i , Ppub + h1 (IDU i ) P )

e( U i , Ppub + h1 (IDU i ) P )
R

/g U i
R/ 

g Ui


= g U i U i

Pr[EF RM |EF LM ]
Pr[Di = h4 (IDCSP j ||IDU i ||A||Kji ||K2 ||B)|
K2 G1 , B G2 ] +

(6)

and
R = e(U i , Ppub + h1 (IDU i ) P ) g U i .

DU i ||U i ||U i ), and Di = h4 (IDCSP j ||IDU i ||A||Kji ||K2 ||B).

Then, one of the below cases must occur.
E1 . The adversary A can guess the value Di correctly.
E2 . The message {K2 , Ci } has appears in a previous session.
E2 . A asks h4 -query with the message (IDCSP j , IDU i , A,
Kji , K2 , B).
According to the value of Di , K2 , and Ci , we can get
q3
Pr[E1 ] qqU and Pr[E2 ] = qqU qqU (qU 2) qU2 , where
qU denotes the maximum number of the user. Based on the
above analysis, we can also get

(8)

and
1
e((  U i U i ) (U i  U i ), Ppub + h1 (IDU i ) P ) = g.
(9)
1

P,
For given P, s P G1 , 1 , 2 , . . . , k Zq , s+
1
1
1

P,
.
.
.
,

P
,
and
h
(ID
)
=
,
A
can
outputs
1
U
i
s+ 2
s+ k
(  U i U i )1 (U i  U i ) as the answer of the k-CAA problem, i.e., C can solve the k-CAA problem with a nonnegligible
advantage. Due to the difficulty of the k-CAA problem, we know
that there is no adversary against our proposed PAA scheme that
can forge a legal login message.
Lemma 2: There is no adversary who can forge a legal response message if the k-mBIDH problem is difficult.
Proof: Let EF LM and EF RM denote the events of forging a legal login message and a legal response message, respectively. According to the proof of Lemma 1, we assume that
even EF LM does not happen. Suppose that an adversary A
against our proposed PAA scheme forges a response message
with a nonnegligible advantage , i.e., A can forge a response
message {Di } after receiving the login message {K2 , Ci } and
{Di } can pass Ui s verification, where Kij = h2 (A||B||Ab ),
K2 = b (Ppub + h1 (IDCSP j ) P ), B = g b , = h3 (IDU i ||
IDCSP j ||A||Kij ||K2 ||B), i = (b )SU i , Ci = h4 (B) (I

q3
qU
+ U2 .
q
q

(10)

Assume Ppub = s P , h1 (IDCSP j ) = , and K2 = t P for

some s, t, Zq . Given P, s P, t P G1 , 1 , 2 , . . . , k
1
1
1
P , s+
P, . . . , s+
P and Zq , A can comZq , s+
1
2
k
1

pute B  = e(K2 , SCSP j ) = e(P, P ) s + t as the solution to the

k-mBIDH problem. C can solve the k-mBIDH problem with a
nonnegligible advantage. Due to the difficulty of the k-mBIDH
problem, we know there is no adversary against our proposed
PAA scheme that can forge a response message.
Theorem 1: Our proposed PAA scheme for MCC services
is MA-secure if the k-CAA and the k-mBIDH problems are
difficult.
Proof: According to the proofs of Lemmas 1 and 2, we
conclude that there is no adversary who can output a valid login
message or a response message with a nonnegligible advantage.
Therefore, our proposed PAA scheme for MCC services is MAsecure if the k-CAA problem and the k-mBIDH problem are
hard.

Theorem 2: Our proposed PAA scheme for MCC services is
AKE-secure if the CDH problem is hard.
Proof: Suppose the adversary A can guess c correctly with
a nonnegligible probability . Then, we can construct a challenger C to address the CDH problem through running A as a
subalgorithm.
Let EGC , ETest(U ) , and ETest(CSP) denote the events that A
guesses the value of c correctly, A makes Test query to some
U i and A makes Test query to some CSPj , respectively. Let
EF LM and EF RM denote the events of forging a legal login
message and a legal response message, respectively. We can get
the following two equations:

Pr[EGC ] = Pr[EGC ETest(U ) ]

+ Pr[EGC ETest(CSP) EF LM ]
+ Pr[EGC ETest(CSP) EF LM ]
=

(11)

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
8

IEEE SYSTEMS JOURNAL

and
Pr[EGC ETest(U ) ] + Pr[EGC ETest(CSP) EF LM ]
= Pr[EGC ETest(CSP) EF LM ]
Pr[EF LM ].

(12)

Since the event ETest(U ) and the ETest(CSP) EF LM are

equal, we can get Pr[EGC ETest(U ) ] /2 Pr[EF LM ]/2,
i.e., the probability Pr[sk = h2 (A, B, K)|A, B G2 ] that A
is able to extract the session key with a nonnegligible probability /2 Pr[EF LM ]/2, because and Pr[EF LM ] are
nonnegligible and negligible, respectively.
Given (g, A = g a , B = g b ), A can is able to extract the session key sk = h2 (A, B, K) with a nonnegligible probability .
Thus, A can compete K = Ab = B a = g ab with the nonnegligible probability , i.e., C is able to address the CDH problem
with a nonnegligible probability through executing A as a subalgorithm. Due to the difficulty of the CDH problem, we know
there is no adversary against our proposed PAA scheme that
can guess c correctly, i.e., our proposed PAA scheme for MCC
services is AKE-secure.
C. Security Requirements Analysis
Mutual authentication: Based on the proofs of Lemmas 1
and 2, we know that no adversary is able to forge a legal a login message or a response message. Therefore, Ui (CSPj ) can
authenticate CSPj (Ui ) by checking the validity of received
response message (login message). Therefore, our proposed
PAA scheme for MCC services is able to support the MA.
User anonymity: The users identity IDU i is hidden in the login message {K2 , Ci }, where Ci = h4 (B) (IDU i ||U i ||U i ),
B = g b , Kij = h2 (A||B||Ab ), K2 = b (Ppub + h1 (IDCSP j )
P ), = h3 (IDU i ||IDCSP j ||A||Kij ||K2 ||B), and i = (b
) SU i . To get the users identity IDU i , the adversary has to
compute B = g b from K2 = b (Ppub + h1 (IDCSP j ) P ), i.e.,
the adversary will face with the k-mBIDH problem. Because
the k-mBIDH problem is difficult, we know that no adversary
can extract IDU i from Ci . Thus, our proposed PAA scheme for
MCC services can support user anonymity.
Untraceability: The user produce a new random nonce b in
each session to generate a new login message, where Ci =
h4 (B) (IDU i , i ), B = g b , Kij = h2 (A, B, Ab ), K2 = b
(Ppub + h1 (IDCSP j ) P ), = h3 (IDU i , IDCSP j , A, Kij , K2 ,
B), and i = (b ) SU i . Due to the randomness of b, we
know there is no relation between two login messages, i.e., the
adversary is not able to trace the users action by observing
the login message. Thus, our proposed PAA scheme for MCC
services is able to support untraceability.
Key establishment: In the execution of our proposed PAA
scheme, both the CSP and the user compute the session key
sk = h2 (A||B||K), which is used for future secure communication between them. Thus, our proposed PAA scheme for MCC
services supports key establishment.
Known session key security: Based on the description of our
proposed PAA scheme, the user and the CSP produce new random nonces a Zq and b Zq and compute the session key
sk = h2 (g a ||g b ||g ab ) in each execution of the proposed PAA

scheme. The adversary cannot compute g ab from g a and g b even

if he gets some session keys generated in previous sessions because he faces with the CDH problem. Thus, our proposed PAA
scheme for MCC services supports known session key security.
Perfect forward secrecy: Assume that there is an adversary
who is able to get the private keys of the user and the CSP. Using
the private keys and intercepted messages in a previous session,
the adversary can get A = g a and B = g b . However, he cannot
compute g ab from g a and g b because he has to solve the CDH
problem. Thus, the adversary is not able to extract the previously
produced session key produced even if he is able to extract both
private keys of the user and the CSP. Thus, our proposed PAA
scheme for MCC services is able to support perfect forward
secrecy.
No verifier table: Based on the presence of our proposed PAA
scheme, no verifier table is maintained by the user, the CSP or
the rusted smart card for achieving MA. Therefore, our proposed
PAA scheme for MCC services provides the no verifier table.
No clock synchronization: In our proposed PAA scheme, no
timestamp is used for MA between the user and the CSP. Thus,
it is necessary to achieve clock synchronization in the system.
Therefore, our proposed PAA scheme for MCC services provides no clock synchronization.
Resistance of known attacks: We prove our proposed PAA
scheme for MCC services is able to resist the insider attack,
the stolen card attack, the replay attack, the user impersonation
attack, the CSP spoofing attack, the stolen verifier table attack,
and the man-in-the-middle attack as follows.
1) Insider attack: The insider of the system can only intercept the users identity IDi and cannot get any information about the users password or private key when the
user registers in the system. The identity is not useful for
the insiders malicious action. Thus, our proposed PAA
scheme for the MCC services resists the insider attack.
2) Stolen card attack: Suppose the adversary gets the
users smart card. He/she can extract EU i = SU i
H(IDU i , pwU i ) from the smart card through side channel attacks, where SU i = s+h 1 1(IDU ) P . However, the
i
adversary cannot get the private key SU i because it is protected by the users password and the identity. Thus, our
proposed PAA scheme for MCC services withstands the
stolen card attack.
3) Replay attack: According to the description, the user and
the CSP produce new random nonces a Zq and b
Zq separately. Lemmas 1 and 2 show that there is no
adversary who is able to forge a valid login message and
a response message corresponding to a Zq and b Zq .
Thus, the user and the CSP can find the replay of message
by checking the freshness of received message. Thus, our
proposed PAA scheme for MCC services resists the replay
attack.
4) User impersonation attack: Based on the proof of Lemma
1, we know that no adversary can generate a legal login
message. Thus, the CSP can find the impersonation attack
by verifying the validity of the received login message.
Thus, our proposed PAA scheme for MCC services withstands the user impersonation attack.

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
HE et al.: EFFICIENT PAA SCHEME FOR MCC SERVICES

TABLE I
SECURITY COMPARISONS OF TWO PAA SCHEMES

TABLE II
RUNNING TIME OF RELATED OPERATIONS (MILLISECOND)

Tsai and Los PAA Scheme [41] Our Proposed PAA Scheme
Mutual authentication
User anonymity
Untraceability
Key establishment
Known session key security
Perfect forward secrecy
No verifier table
No clock synchronization
Resistance of known attacks

No
No
Yes
Yes
Yes
Yes
Yes
Yes
No

T mtp
T bp
T sm
T pa
T exp
T mul
Th

Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes

5) CSP spoofing attack: Based on the proof of Lemma 2,

there is no adversary who can generate a legal response
message. Thus, the user can find the impersonation attack
by verifying the validity of the received response message. Thus, our proposed PAA scheme for MCC services
withstands the CSP spoofing attack.
6) Stolen verifier table attack: In our proposed PAA scheme,
no verifier table is needed in the system. Therefore, the
adversary cannot carry out the stolen verifier table attack
and our proposed PAA scheme for MCC services resists
the stolen verifier table attack.
7) Man-in-the-middle attack: Based on above analysis, we
know that our proposed PAA scheme is able to support
MA between the user and the CSP. Thus, our proposed
PAA scheme for MCC services resists the man-in-themiddle attack.
D. Security Comparisons
The security comparisons between our proposed PAA scheme
and Tsai and Los PAA scheme are presented in this section.
Results of security comparisons are listed in Table I.
According to security analysis in Section III-B, we confirm
that Tsai and Los PAA scheme cannot provide the MA, the
user anonymity, and the resistance of attacks. Security analysis
in above section shows that our proposed PAA scheme satisfies
all nine security requirements. Therefore, our proposed PAA
scheme has better security than Tsai and Los PAA scheme.
VI. PERFORMANCE ANALYSIS
The computation and communication costs of our proposed
PAA scheme for MCC services are analyzed in this section.
We will also compare them with that of Tsai and Los PAA
scheme. The famous Ate pairing [48] has been widely used in
the modern public key cryptography algorithms based on the
bilinear pairing. We will use it to evaluate our proposed PAA
scheme and Tsai and Los PAA scheme [41].
To achieve the same security level of the 1024-bits RSA
algorithm, we choose an Ate pairing e defined on a supersingular
elliptic curve E(Fp ). E(Fp ) is defined on a finite field Fp and
its an additive group G1 with order q consisting of points on
E(Fp ) is employed in the computation of the bilinear paring,
where p and q are a 512-bits prime number and 160-bits prime
number, respectively.

The User

The Server

33.582
32.713
13.405
0.081
2.249
0.008
0.056

5.493
5.427
2.165
0.013
0.339
0.001
0.007

TABLE III
COMPUTATION COST COMPARISONS OF TWO PAA SCHEMES

Ui
CSP j

Tsai and Los PAA Scheme [41]

Our Proposed PAA Scheme

T mtp + 4T sm + T exp + 4T h
89.675 ms
2T bp + 2T sm + 2T pa +
2T exp + 4T h 16.096 ms

T mtp + 3T sm + 2T exp +
4T h 78.519 ms
2T bp + 2 T pa + 2 T exp +
T mul + 5T h 11.774 ms

A. Computation Cost
In this section, we analyze the computation cost of our proposed PAA scheme and compare it with that of Tsai and Los
PAA scheme [41]. Some notations of the running time are listed
as follows.
1) Tbp : The time of executing a bilinear paring operation.
2) Tsm : The time of executing a scalar multiplication operation in G1 .
3) Tmtp : The time of executing a map-to-point hash function
in G1 .
4) Tpa : The time of executing a point addition operation in
G1 .
5) Texp : The time of executing an exponentiation operation
in G2 .
6) Tmul : The time of executing a multiplication operation in
G2 .
7) Th : The time of executing a general hash operation.
To achieve convincing comparisons of computation cost, we
have implemented all operations involved in our proposed PAA
scheme and Tsai and Los PAA scheme [41] using the Multiprecision Integer and Rational Arithmetic C/c++ Library [49]
on a real platform, which is consisting of a mobile device (Samsung Galaxy S5 with a Quad-core 2.45 GHz processor, 2 Gb
memory, and the Google Android 4.4.2 operating system) and a
personal computer (Dell with an I5-4460S 2.90 GHz processor,
4 Gb memory, and the Window 8 operating system) [50]. In
our analysis, we will use the mobile device and the personal
computer to simulate the mobile user and the CSP, respectively.
The running time of related operations is listed in Table II [50].
According to the above experiment results, we compare the
computation cost of our proposed PAA scheme and Tsai and
Los PAA scheme [41]. Through counting the number of different operations, we get the time of executing both PAA schemes
and list them in Table III.
Based on Table III, we confirm that the running time of the
user in Tsai and Los PAA scheme and our proposed PAA
scheme is 89.675 and 78.519 ms separately. We also know that

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
10

IEEE SYSTEMS JOURNAL

TABLE IV
COMMUNICATION COST COMPARISONS OF TWO PAA SCHEMES
[3]
Tsai and Los PAA Scheme [41]

Our Proposed PAA Scheme

4320 bits

3296 bits

[4]
[5]

the running time of the CSP in Tsai and Los PAA scheme and
our proposed PAA scheme is 16.096 and 11.774 ms separately.
Therefore, we conclude that our proposed PAA scheme has less
computation cost than Tsai and Los PAA scheme.

[6]

[7]

B. Communication Cost
Because p and q are a 512-bits prime number and a 160-bits
prime number separately, the length of the element in G1 and G2
is 1024-bits and the output length of h4 is 160-bits. We assume
that the length of both the login request and the users identity
is 32-bits. We get the communication cost of our proposed PAA
scheme and Tsai and Los PAA scheme in Table IV.
The user in Tsai and Los PAA scheme sends the login request
and {K2 , Ci } to the CSP, where Ci = Kij (IDU i , i , W ) and
K2 , i , W G1 . The CSP sends A and Di to the user, where
A G2 and Di is an output of h4 . Therefore, the communication cost of Tsai and Los PAA scheme is 32 + 32 + 1024 + 1024
+ 1024 + 1024 + 160 = 4320-bits.
The user in our proposed PAA scheme sends the login request
and {K2 , Ci } to the CSP, where Ci = Kij (IDU i , i ) and
K2 , i G1 . The CSP sends A and Di to the user, where A
G2 and Di is an output of h4 . Therefore, the communication
cost of our proposed PAA scheme is 32 + 32 + 1024 + 1024 +
1024 + 160 = 3296-bits.
Therefore, we can conclude that our proposed PAA scheme
has less communication cost than Tsai and Los PAA scheme.

[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]

[17]

VII. CONCLUSION
Due to highly dynamic nature of mobile devices in the MCC
environment, the traditional authentication schemes are not suitable for various services in this environment. To solve the security problem in MCC services, Tsai and Lo proposed an efficient
PAA scheme for the MCC services by using the bilinear pairing. This paper points out that Tsai and Los PAA scheme is
vulnerable to a serious attack and is not able to support user
anonymity. To solve such serious weaknesses, the paper proposes a new PAA scheme for MCC services. Security analysis
shows that our proposed PAA scheme can solve the security
problem existing in Tsai and Los PAA scheme. Besides, the
performance analysis shows that our proposed PAA scheme has
better performance than their PAA scheme.
In the future, we will explore more attributes of the proposed
scheme, which can be applied for secure service access in MCC
environment.
REFERENCES
[1] M. Satyanarayanan, Fundamental challenges in mobile computing, in
Proc. 15th Annu. ACM Symp. Princ. Distrib. Comput., 1996, pp. 17.
[2] Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, Achieving efficient cloud
search services: Multi-keyword ranked search over encrypted cloud data

[18]
[19]
[20]
[21]

[22]
[23]

[24]
[25]
[26]

supporting parallel computing, IEICE Trans. Commun., vol. 98, no. 1,

pp. 190200, 2015.
Z. Xia, X. Wang, X. Sun, and Q. Wang, A secure and dynamic multikeyword ranked search scheme over encrypted cloud data, IEEE Trans.
Parallel Distrib. Syst., vol. 27, no. 2, pp. 340352, Feb. 2016.
M. Armbrust et al., A view of cloud computing, Commun. ACM, vol. 53,
no. 4, pp. 5058, 2010.
A. Lin and N.-C. Chen, Cloud computing as an innovation: Percepetion,
attitude, and adoption, Int. J. Inf. Manag., vol. 32, no. 6, pp. 533540,
2012.
Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, Enabling personalized
search over encrypted outsourced data with efficiency improvement,
IEEE Trans. Parallel Distrib. Syst., vol. 27, no. 9, pp. 25462559, Sep.
2016.
Y. Ren, J. Shen, J. Wang, J. Han, and S. Lee, Mutual verifiable provable
data auditing in public cloud storage, J. Internet Technol., vol. 16, no. 2,
pp. 317323, 2015.
L. Lamport, Password authentication with insecure communication,
Commun. ACM, vol. 24, no. 11, pp. 770772, 1981.
E.-J. Yoon, K.-Y. Yoo, C. Kim, Y.-S. Hong, M. Jo, and H.-H. Chen,
A secure and efficient sip authentication scheme for converged VOIP
networks, Comput. Commun., vol. 33, no. 14, pp. 16741681, 2010.
R. Arshad and N. Ikram, Elliptic curve cryptography based mutual authentication scheme for session initiation protocol, Multimedia Tools
Appl., vol. 66, no. 2, pp. 165178, 2013.
S. H. Islam and G. Biswas, Design of improved password authentication
and update scheme based on elliptic curve cryptography, Math. Comput.
Modelling, vol. 57, no. 11, pp. 27032717, 2013.
P. Guo, J. Wang, X. Geng, S. K. Chang, and J.-U. Kim, A variable
threshold-value authentication architecture for wireless mesh networks,
J. Internet Technol., vol. 15, no. 6, pp. 929935, 2014.
J. Shen, H. Tan, J. Wang, J. Wang, and S. Lee, A novel routing protocol
providing good transmission reliability in underwater sensor networks,
J. Internet Technol., vol. 16, no. 1, pp. 171178, 2015.
M.-S. Hwang and L.-H. Li, A new remote user authentication scheme
using smart cards, IEEE Trans. Consum. Electron., vol. 46, no. 1, pp. 28
30, Feb. 2000.
M. S. Farash and M. A. Attari, An anonymous and untraceable passwordbased authentication scheme for session initiation protocol using smart
cards, Int. J. Commun. Syst., vol. 29, no. 13, pp. 19561967, 2016.
A. Irshad, M. Sher, M. S. Faisal, A. Ghani, M. Ul Hassan, and S. Ashraf
Ch, A secure authentication scheme for session initiation protocol by
using ECC on the basis of the tang and LIU scheme, Secur. Commun.
Netw., vol. 7, no. 8, pp. 12101218, 2014.
H.-M. Sun, An efficient remote use authentication scheme using smart
cards, IEEE Trans. Consum. Electron., vol. 46, no. 4, pp. 958961, Nov.
2000.
J.-L. Tsai, T.-C. Wu, and K.-Y. Tsai, New dynamic ID authentication
scheme using smart cards, Int. J. Commun. Syst., vol. 23, no. 12, pp. 1449
1462, 2010.
C.-T. Li, C.-C. Lee, and C.-W. Lee, An improved two-factor user authentication protocol for wireless sensor networks using elliptic curve
cryptography, Sensor Lett., vol. 11, no. 5, pp. 958965, 2013.
S. H. Islam and G. Biswas, Dynamic ID-based remote user mutual authentication scheme with smartcard using elliptic curve cryptography, J.
Electron., vol. 31, no. 5, pp. 473488, 2014.
M. S. Farash, S. Kumari, and M. Bakhtiari, Cryptanalysis and improvement of a robust smart card secured authentication scheme on SIP using elliptic curve cryptography, Multimedia Tools Appl., vol. 75, no. 8,
pp. 44854504, 2016.
C.-L. Hsu, Y.-H. Chuang, and C.-l. Kuo, A novel remote user authentication scheme from bilinear pairings via internet, Wireless Pers. Commun.,
vol. 83, no. 1, pp. 163174, 2015.
A. Irshad, M. Sher, E. Rehman, S. A. Ch, M. U. Hassan, and A. Ghani, A
single round-trip sip authentication scheme for voice over internet protocol
using smart card, Multimedia Tools Appl., vol. 74, no. 11, pp. 39673984,
2015.
A. K. Das, A secure and robust password-based remote user authentication scheme using smart cards for the integrated EPR information system,
J. Med. Syst., vol. 39, no. 3, pp. 114, 2015.
D. Mishra, On the security flaws in id-based password authentication
schemes for telecare medical information systems, J. Med. Syst., vol. 39,
no. 1, pp. 116, 2015.
L.-H. Li, L.-C. Lin, and M.-S. Hwang, A remote password authentication
scheme for multiserver architecture using neural networks, IEEE Trans.
Neural Netw., vol. 12, no. 6, pp. 14981504, Nov. 2001.

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
HE et al.: EFFICIENT PAA SCHEME FOR MCC SERVICES

[27] I.-C. Lin, M.-S. Hwang, and L.-H. Li, A new remote user authentication scheme for multi-server architecture, Future Gener. Comput. Syst.,
vol. 19, no. 1, pp. 1322, 2003.
[28] X. Cao and S. Zhong, Breaking a remote user authentication scheme for
multi-server architecture, IEEE Commun. Lett., vol. 10, no. 8, pp. 580
581, Aug. 2006.
[29] C.-C. Lee, T.-H. Lin, and R.-X. Chang, A secure dynamic ID based
remote user authentication scheme for multi-server environment using
smart cards, Expert Syst. Appl., vol. 38, no. 11, pp. 1386313870, 2011.
[30] S. K. Sood, A. K. Sarje, and K. Singh, A secure dynamic identity based
authentication protocol for multi-server architecture, J. Netw. Comput.
Appl., vol. 34, no. 2, pp. 609618, 2011.
[31] X. Li, Y. Xiong, J. Ma, and W. Wang, An efficient and security dynamic identity based authentication protocol for multi-server architecture
using smart cards, J. Netw. Comput. Appl., vol. 35, no. 2, pp. 763769,
2012.
[32] W.-J. Tsaur, J.-H. Li, and W.-B. Lee, An efficient and secure multi-server
authentication scheme with key agreement, J. Syst. Softw., vol. 85, no. 4,
pp. 876882, 2012.
[33] K. Xue, P. Hong, and C. Ma, A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification
tables for multi-server architecture, J. Comput. Syst. Sci., vol. 80, no. 1,
pp. 195206, 2014.
[34] D. Mishra, A. K. Das, and S. Mukhopadhyay, A secure user anonymitypreserving biometric-based multi-server authenticated key agreement
scheme using smart cards, Expert Syst. Appl., vol. 41, no. 18, pp. 8129
8143, 2014.
[35] X. Li, J. Niu, S. Kumari, J. Liao, and W. Liang, An enhancement of a
smart card authentication scheme for multi-server architecture, Wireless
Pers. Commun., vol. 80, no. 1, pp. 175192, 2015.
[36] S. Shunmuganathan, R. D. Saravanan, and Y. Palanichamy, Secure and
efficient smart-card-based remote user authentication scheme for multiserver environment, Can. J. Electr. Comput. Eng., vol. 38, no. 1, pp. 20
30, 2015.
[37] E.-J. Yoon and K.-Y. Yoo, Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve
cryptosystem, J. Supercomput., vol. 63, no. 1, pp. 235255, 2013.
[38] H. Kim, W. Jeon, K. Lee, Y. Lee, and D. Won, Cryptanalysis and improvement of a biometrics-based multi-server authentication with key
agreement scheme, in Proc. Int. Conf. Comput. Sci. Appl., 2012, pp. 391
406.
[39] D. He and D. Wang, Robust biometrics-based authentication scheme for
multiserver environment, IEEE Syst. J., vol. 9, no. 3, pp. 816823, Sep.
2015.
[40] V. Odelu, A. K. Das, and A. Goswami, A secure biometrics-based multiserver authentication protocol using smart cards, IEEE Trans. Inf. Forens.
Security, vol. 10, no. 9, pp. 19531966, Sep. 2015.
[41] J.-L. Tsai and N.-W. Lo, A privacy-aware authentication scheme for
distributed mobile cloud computing services, IEEE Syst. J., vol. 9, no. 3,
pp. 805815, Sep. 2015.
[42] S. Mitsunari, R. Sakai, and M. Kasahara, A new traitor tracing, IEICE
Trans. Fundam. Electron. Commun. Comput. Sci., vol. 85, no. 2, pp. 481
484, 2002.
[43] K. Y. Choi, J. Y. Hwang, D. H. Lee, and I. S. Seo, ID-based Authenticated Key Agreement for Low-Power Mobile Devices. Berlin, Germany:
Springer, 2005, pp. 494505.
[44] W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans.
Inf. Theory, vol. IT-22, no. 6, pp. 644654, Nov. 1976.
[45] M. Jakobsson and D. Pointcheval, Mutual authentication for low-power
mobile devices, in Proc. Int. Conf. Financ. Cryptogr., 2001, pp. 178195.
[46] T.-Y. Wu and Y.-M. Tseng, An efficient user authentication and key
exchange protocol for mobile clientserver environment, Comput. Netw.,
vol. 54, no. 9, pp. 15201530, 2010.
[47] D. Pointcheval and J. Stern, Security arguments for digital signatures and
blind signatures, J. Cryptol., vol. 13, no. 3, pp. 361396, 2000.
[48] F. Hess, N. P. Smart, and F. Vercauteren, The eta pairing revisited, IEEE
Trans. Inf. Theory, vol. 52, no. 10, pp. 45954602, Oct. 2006.
[49] Shamus Software Ltd., Miracl library, Available: http://www.shamus.ie/
index.php?page=home
[50] D. He, S. Zeadally, N. Kumar, and W. Wei, Efficient and anonymous
mobile user authentication protocol using self-certified public key cryptography for multi-server architectures, IEEE Trans. Inf. Forens. Security,
vol. 11, no. 9, pp. 20522064, Sep. 2016.

11

Debiao He received the Ph.D. degree in applied mathematics from the School of Mathematics and Statistics, Wuhan University, Wuhan, China, in 2009.
He is currently an Associate Professor with the
State Key Laboratory of Software Engineering, Computer School, Wuhan University. His main research
interests include cryptography and information security, in particular, cryptographic protocols.

Neeraj Kumar received the Ph.D. degree in computer science and engineering from Shri Mata
Vaishno Devi University, Katra, India.
He was a Postdoctoral Research Fellow with
Coventry University, Coventry, U.K. He is an Associate Professor with the Department of Computer
Science and Engineering, Thapar University, Patiala,
India. He has authored or co-authored more than 150
technical research papers in leading journals and conferences from IEEE, Elsevier, Springer, Wiley, etc.
Some of his research findings have been published in
top cited journals such as the IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, the IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, the
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, the IEEE
TRANSACTIONS ON CONSUMER ELECTRONICS, IEEE Network, the IEEE TRANSACTIONS ON COMMUNICATIONS, the IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, the IEEE INTERNET OF THINGS JOURNAL, the IEEE SYSTEMS
JOURNAL, the Future Generation Computer Systems, the Journal of Network
and Computer Applications, and Computer Communications. He has guided
many research scholars leading to their Ph.d. and M.E./M.Tech. degrees. His
research has been supported by the TCS, CSIR, and UGC.

Muhammad Khurram Khan is currently a Full Professor with the Center of Excellence in Information
Assurance, King Saud University, Riyadh, Saudi Arabia. He has authored or co-authored more than 250
papers in international journals and conferences and
is an inventor of 10 U.S./PCT patents. He has edited 7
books and proceedings published by Springer-Verlag
and the IEEE. He is the Editor-in-Chief of Telecommunication Systems (Springer). His current research
interests include cybersecurity, biometrics, multimedia security, and digital authentication.
Dr. Khan is also on the Editorial Boards of several international journals.

Lina Wang received the Ph.D. degree in computer

science and technology from Northeastern University, Boston, MA, USA, in 2001.
She is currently a Professor with the Key Laboratory of Aerospace Information Security and Trusted
Computing Ministry of Education, Computer School,
Wuhan University, Wuhan, China. Her research interests include information security, network security,
and cryptography.

Jian Shen received the B.E. degree from the Nanjing University of Information Science and Technology, Nanjing, China, in 2007 and the M.E. and
Ph.D. degrees in computer science from Chosun University, Gwangju, South Korea, in 2009 and 2012,
respectively.
Since late 2012, he has been a Professor with the
School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing.
His research interests include information security,
network security, mobile computing and networking,
and ad hoc networks and systems.