E-AUA: An Efficient Anonymous User Authentication Protocol for Mobile IoTitseg.org › wp-content...

2327-4662 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2018.2847447, IEEE Internet ofThings Journal

GENERIC COLORIZED JOURNAL, VOL. XX, NO. XX, XXXX 2017 1

E-AUA: An Efficient Anonymous UserAuthentication Protocol for Mobile IoT

Xianjiao Zeng, Student Member, IEEE , Guangquan Xu*, Member, IEEE , Xi Zheng, Member, IEEE ,Yang Xiang, Senior Member, IEEE , and Wanlei Zhou, Senior Member, IEEE

Abstract— The emergence of the mobile Internet ofThings (IoT) has made our lives smarter, relying on itsvarious mobile IoT devices and services provided. How-ever, with the explosively emerging mobile IoT services,malicious attackers can access them in an unauthorizedway. In this paper, we designed an Efficient AnonymousUser Authentication (E-AUA) protocol between the usersand servers based on multi-server architectures, whichcontain multiple servers to address the problem of net-work congestion in mobile IoT. Furthermore, the E-AUAprotocol was designed with a dual messages mechanismwith strong anti-attack ability, lower communication andcomputation costs. Comparing with the state of the artprotocols, our E-AUA protocol reduced both communica-tion and computation costs. We also provided a securityanalysis to demonstrate that our E-AUA protocol is secureand meets a variety of security requirements in a motivatedmobile IoT scenario.

Index Terms— Mobile Internet of Things, AnonymousUser Authentication, Multi-server Architectures, Dual Mes-sages Mechanism, Online/offline Respective-processingMechanism, Innovative Cryptographic Scheme.

I. INTRODUCTION

IN the mobile communication based IoT (i.e. mobile IoT)[1], a variety of mobile devices, such as mobile phones,

handheld computers, and smart gateways in vehicles, can com-pletely act as IoT communication nodes. Driverless electricvehicles which utilize mobile terminals (i.e. smart gateways)are becoming one of the emerging applications in mobile IoT.

This work has been partially sponsored by the National ScienceFoundation of China (No. 61572355, U1736115), the Tianjin ResearchProgram of Application Foundation and Advanced Technology (No.15JCYBJC15700), and the Fundamental Research of Xinjiang Corps(No. 2016AC015).

Xianjiao Zeng is with the Tianjin Key Laboratory of Advanced Net-working (TANK), School of Computer Science and Technology, TianjinUniversity, Tianjin 300350 China (e-mail: [email protected]).

Guangquan Xu(corresponding author) is with the Tianjin Key Labo-ratory of Advanced Networking (TANK), School of Computer Scienceand Technology, Tianjin University, Tianjin 300350 China (correspondingauthor, e-mail: [email protected]).

Xi Zheng is with the Department of Computing, Macquarie University,Australia (e-mail: [email protected]).

Yang Xiang is with School of Software and Electrical Engi-neering, Swinburne University of Technology, Australia (e-mail: [email protected]).

Wanlei Zhou is with the School of IT, Deakin University, Australia (e-mail: [email protected]).

Copyright (c) 2012 IEEE. Personal use of this material is permit-ted. However, permission to use this material for any other purposesmust be obtained from the IEEE by sending a request to [email protected].

Driverless electric vehicles in vehicular ad hoc networks(VANETs) [2] [3] have received widespread interest, dueto their high automation and green energy. However, whendriverless electric vehicles intend to cross the intersection athigh speed, they must make fast mutual authentication withRoad Side Units (RSUs) using smart gateways. The two parties(vehicle and RSU) finally negotiate a shared session key forsubsequent secure and real-time communications. We presumethe vehicle authentication has to go through RSU instead ofinitiating among vehicles themselves. The session key canalso be used for driverless electric vehicles to get variousspecial services. However, in this actual scenario, there aretwo major hidden dangers. One is security, and the other issystem efficiency. Therefore, it is vital for both communicationparties (vehicle and RSU) to maintain low communicationand computation costs in the mutual authentication. Notethat in the above example, both communication parties (evenbetween vehicles) can be considered as user-side and server-side respectively.

In order to solve the above problems in mobile IoT, varioususer authentication protocols have been proposed over the pastfew years. However, the privacy preserving was not enough toprevent leaking a user’s identity, which would help the ad-versaries associate the user’s identity with service requests forsubsequent malicious attacks [4]- [6] and privacy infringement.Thus, it becomes an urgent need for researchers to designvarious anonymous user authentication (AUA) protocols formobile IoT.

To date, many AUA protocols have been introduced aimingto further enhance the user privacy protection and improve sys-tem efficiency. They supported mutual authentication betweenthe users and servers, and allowed them negotiate a sharedsession key for future secure communication. However, theseAUA protocols still suffered from a variety of security attacks,and they failed to keep a good balance between securityand performance cost. The symmetric encryption algorithmbased AUA protocols [7] [8] [9] had small computation costand high encryption efficiency, while the security of AUAprotocols is reduced due to public transmission of keys. Thepublic key cryptography (PKC) based AUA protocols [10] [11][12] enhanced users privacy protection and system security,however, the public key infrastructure (PKI) was introducedand the registration center (RC) was required to be onlineall the time, which thus greatly reduced the efficiency andperformance of the protocols. To improve performance andfurther enhance security, there were many AUA protocols



2 GENERIC COLORIZED JOURNAL, VOL. XX, NO. XX, XXXX 2017

being presented one after another based on elliptic curvecryptography (ECC), but they still required an online RC,which resulted in low performance [13] [14] [15].

In order to ensure mobile IoT communications, a self-certified public key cryptography (SCPKC) based AUA pro-tocol [16] was designed to remove online RC, improving theoverall performance. However, there were still some draw-backs in it. Firstly, the AUA protocol was vulnerable to someattacks such as denial of service attacks and offline dictionaryattacks, because the protocol did not have secure timestampverification and super-password protection. Secondly, althoughthe AUA protocol [16] indicated that it can achieve two-factorsecurity [17], [18], no formal security verification was given.Thirdly, the computation and communication costs of the AUAprotocol in [16] were still relatively high, making the protocolnot suitable for use in mobile IoT communications. Inspired by[16], we proposed an efficient AUA protocol based on a noveldual messages mechanism for multi-server architecture, whichcontains multiple servers in order to address performancebottlenecks in traditional single-server architecture [10], [13],[16]. The dual messages mechanism is achieved by serveralmechanisms including innovative cryptographic scheme [28],secure tamper-resistant timestamp, two-factor security authen-tication, and online/offline respective-processing algorithm,which makes our E-AUA protocol substantially more ef-fective and suitable for mobile IoT communications. Theonline/offline respective-processing mechanism [19] dividesour scheme realization into two phases: offline and online.In the offline phase, most heavy calculations are done withoutknowing the identity of the recipient. In the online phase, onlylight calculations are done when the identity of the recipientis known.

A. Our Contribution

In this paper, we propose an efficient anonymous userauthentication (E-AUA) protocol for mobile IoT applications.The main contributions of our E-AUA protocol are summa-rized as follows.

1) The dual messages mechanism we propose only requirestwo rounds of message exchange on both sides of the commu-nication. In addition, with such a mechanism, the registrationcenter is not required to be online all the time, making theoverall performance of E-AUA significantly improved overPKC based protocols while maintaining high security.

2) Innovative Cryptographic Scheme and Secure Tamper-resistant Timestamp: For the former, in our E-AUA protocol,we propose an easy-to-remember innovative cryptographicscheme while providing super-password protection. For thelatter, it can deliver timestamp securely and use the unalteredtimestamp to keep our E-AUA protocol free from denial ofservice attacks. In a nutshell, the use of these two technologiesenables our E-AUA protocol to resist various stubborn attacks.

3) Formal Security Proof is given: Compared with mostAUA protocols, our E-AUA protocol is provably secure in theextended security model which can also capture two-factorsecurity to resist compromised smart gateway attacks. In addi-tion, our E-AUA protocol can satisfy other important security

properties, such as user anonymity, known-key security, andperfect forward secrecy and so on.

4) Online/Offline Respective-processing Mechanism: In or-der to further improve the overall performance of our E-AUAprotocol, an online/offline respective-processing mechanism isintroduced to reduce the computation cost at the user side,thus our E-AUA protocol is more suitable for deployment inlow-power mobile IoT communications.

Notably, the above contributions have comprehensively en-hanced the user privacy protection and system security inmobile IoT communications. Specifically, our E-AUA protocolrequires less communication and computation costs at theuser side compared to the state of the art [16], which greatlyimproves the efficiency of mobile IoT communications.

The remainder of this paper is organized as follows. InSection II, some preliminary works are introduced to allow thereader to obtain a better understanding of our E-AUA protocol.We introduce the extended security model in Section III. InSection IV, our E-AUA protocol is proposed based on thesecurity model presented in the previous section. Then, weconduct a security proof for our E-AUA protocol in Section V.In Section VI, we display the performance comparisons ofour E-AUA protocol and related protocols in computation andcommunication costs. At last, the conclusion and future worksare drawn in Section VII.

II. FUNDAMENTALS

In this section, we will walk through some fundamentalknowledge of the paper.

A. NotationsIn this subsection, we will give all the notations appearing

in our E-AUA protocol design as shown in Table I. Note thatin the follow-up content, we can refer to the mobile IoT userand mobile IoT server as the user and server.

B. Bilinear PairingBilinear pairing [20] is a secure and efficient technology,

which has gained widespread acceptance in cryptography since2001, when Boneh and Franklin used it to construct the firstpractical and secure identity-based encryption scheme. Withsuch a technique, we construct a novel identity-based SCPKCprotocol. Note that the bilinear pairing is symmetric and itsspecific description is given as follows.

Definition 1: Symmetric Bilinear Pairing: Let G1 and G2

be additive and multiplicative cyclic groups respectively withthe same prime order q. Assume P is a generator of G1 and gis a generator of G2. We say e : G1×G1 → G2 is a symmetricbilinear pairing if it satisfies the following properties:

1) Bilinear: For ∀p1, p2, p3 ∈ G1 and ∀a, b ∈ Z∗q , wehave e(p1 + p2, p3) = e(p1, p3)e(p2, p3), e(ap1, bp2) =e(abp1, p2) = e(p1, abp2) = e(p1, p2)ab and e(P, P ) =g.

2) Nondegeneracy: For at least one element P ∈ G1, theinequality e(P, P ) 6= 1G2

holds.3) Computability: For ∀p1, p2 ∈ G1, there is an efficient

algorithm at least to compute e(p1, p2).



AUTHOR et al.: PREPARATION OF PAPERS FOR IEEE TRANSACTIONS AND JOURNALS (FEBRUARY 2017) 3

TABLE I: Notations explanation

Notations Explanation

RC registration centerSG smart gateway

Ui, Sj the mobile IoT user and serverG1, G2 addition and multiplication cycle groups

q the prime order of the above groupse : G1 ×G1 → G2 bilinear pairing

P, g the generators of G1 and G2

τ, τ̂ two system private keysPpub, gpub two system public keys

h0(·), h1(·), h2(·), h3(·) four general hash functionsH(·) point-to-point hash function

IDUi , IDSj the user’s identity, the server’s identityPWUi , PW

′Ui

the user’s old and new passwordsbUi , rUi , β, γ generated random numbers by the user

b′Ui

generated random number by the SGrSj generated random number by the server

skA, DSj the user’s and the server’s private keysT1, T2 the current timestamp at user/server end

∆t the actual time interval between T2 and T1K the shared session key

ψUi , vUi the intermediate values generated by theRC during the registration phase

ψ′Ui, v

′Ui

the intermediate values generated by theSG during the password change phase

R′Ui, x,W,H the intermediate values generated by the

user during the offline pre-calculation stageη,RUi , a, κ, b the intermediate values generated by the

user during the online login andauthentication

y, αSj the intermediate values generated by theserver during the online login and

authenticationEnc(·)/Dec(·) the symmetric encryption/decryption

algorithm (eg: AES-256)

C. Computational Hardness Assumption

In this subsection, we introduce two computational hardnessassumptions called DL (Discrete Logarithm) problem andCDH (Computational Diffie-Hellman) problem, which cannot be solved by any polynomial time algorithm. Therefore,the construction of cryptography protocols is generally basedon the DL and CDH problems, which are also the securityfoundation of our E-AUA protocol. The specific descriptionof DL and CDH problems is given as follows.

Definition 2: DL (Discrete Logarithm) Problem: For∀a ∈ Z∗q , given two elements P, aP ∈ G1, where P is agenerator of G1, compute a. Or given two elements g, ga,where g is a generator of G2, compute a.

Definition 3: CDH (Computational Diffie-Hellman)Problem: For ∀a, b ∈ Z∗q , given three elementsP, aP, bP ∈ G1, where P is a generator of G1, compute abP .Or given three elements g, ga, gb, where g is a generator ofG2, compute gab.

D. The Multi-Server Architecture Model

Fig. 1 is the Multi-Server Architecture Model for the mobileIoT Applications. Our E-AUA protocol can be well applied inthis model. There are three main entities in this model: themobile IoT user Ui (user), mobile IoT server Sj (server) andregistration center (RC). The ultimate goal is to enable the userand server to securely authenticate each other with the help of

Fig. 1: The Multi-Server Architecture Model.

the RC. We will use the driverless electric vehicles in VANETsas an example, as followed, to explain this model morespecifically. In Fig. 1 , the user and server can be consideredas the driverless electric vehicle and RSU respectively.

The user Ui is a driverless electric vehicle that has a smartgateway and intends to get authentication from RSU as fast aspossible in order to cross the intersection with a given speedwhile also gaining access to other available services in thelocal VANETs. The server Sj is a RSU that can provide thedriverless electric vehicle with fast authentication and variousspecial services. The RC is a vehicle service company, which isa trusted third party mainly responsible for generating systemparameters including two system private keys and thirteensystem public parameters, and distributing private keys to theuser and server. The authentication steps among the threeabove parties (user, server, and RC) in the multi-server modelare as followed. Firstly, the RC will generate a series of systemparameters. And then, the user sends his/her identity to the RCand obtains the corresponding private key by a secure channel,which can resist overhearing and tampering. Similarly, the RCwill generate and distribute private key to the correspondingserver securely. Finally, the user and server will authenticateeach other using their own private keys for subsequent securecommunication. Note that in our paper, we assume that the RCis completely trustworthy [13] [14] [21]. In addition, usersand servers need to register with the RC through a securecommunication channel [13] [16]. This channel is a way oftransferring data that is resistant to overhearing and tampering.However, this channel has not yet been widely deployedbetween users and servers. Therefore, the users and serversneed to communicate with each other over the open mobileIoT network rather than a completely secure channel. Note thatin VANETs, the open mobile IoT network generally refers tovehicular mobile internet. In order to solve the insecurity in theopen communication process, we propose an efficient privacyenhancement oriented AUA (E-AUA) protocol. The specificdesign process is shown in Section IV.

III. SECURITY MODEL

Inspired by Xie et al. [17], in this section, we will extendthe security model of He et al. [16] to ensure two-factorsecurity while maintaining other various security attributes.Specifically, we will extend the query Corrupt(). Note thatthe so-called two-factor security means that an adversary cancompromise a smart gateway to get the user’s long-term private




key or password stored in it, but not both. This extendedsecurity model is the basis of our E-AUA protocol design.

A. Participants

Our security model includes a set of protocol participants,an active attacker A, and a challenger C.• The protocol participants: Indicated by the symbol Λ =U ∪ S, where U represents a set of users, and S repre-sents a server collection. We let Πn

Ui,Sjdenote that the

participant Ui ∈ U is conducting the nth key agreementwith his/her partner Sj ∈ S (see Definition 4) , whereUi (Sj) denotes the i-th (j-th) instance of U (S).

• An active attacker (or adversary): Defined by the symbolA, who is defined as a probabilistic polynomial time(PPT) turing machine that can access all user and serverinstances in the security model. These instances canonly answer the attacker A on his/her various inquiriespassively.

• A challenger: Represented by the symbol C, who isresponsible for answering all queries from the activeattacker.

Definition 4: Partner: If both protocol participants Ui andSj obtain the same session identifier SID after a key agreementprocess is completed, they are called partners, where thesession identifier SID(Ui) (or SID(Sj)) of each protocolparticipant Ui (or Sj) is defined as the connection of allmessages sent and received by Ui (or Sj).

B. Queries

We define our E-AUA protocol’s security through an attackgame between the active attacker and challenger. The gameis divided into two stages. In the first stage, A can make thefollowing queries to C , and these queries can be disorderedand adaptive.• hi(mi) or hi

′(mi): A can send this query with themessage mi to C, and C will compute vi = hash(mi) ∈Z∗q , store (mi, vi) in the list Lhi or Lhi′ , and then returnvi to A. In this query, i = 0, 1, 2, 3.

• H(M): A can send this query with the message M to C,and C will compute V = hash(M) ∈ G1, store (M,V )in the list LH , and then return V to A.

• ExtractUser(IDUi): When A sends this query to C withUi′s identity IDUi , C generates Ui′s private key skA by

executing a key generation algorithm and then stores skAto the list LUK .

• ExtractServer(IDSj ): When A sends this query to Cwith Sj

′s identity IDSj , C generates Sj ′s private keyDSj by executing a key generation algorithm and thenstores DSj to the list LSK .

• Execute (Ui, Sj): This query can simulate passive at-tacks, which allows A acquiring all copies of interactivedata between Ui and Sj by wiretapping when theyexecute our E-AUA protocol.

• Send(Ui/Sj ,M): This query models active attacks,which represents if A sends the message M to C, thenC will answer a response message m about Ui/Sj or

a decision that represents ”accepts” or ”rejects” thissession.

• Reveal(Ui): This query models known key attacks. WhenA sends this query to C , C will return the session keyinvolved in Ui to A. If the state of Ui is not ”accepted”(”accepted” means Ui has calculated a session key ), thenC returns the termination symbol ⊥ to A.

• CorruptUser(Ui, a): This query simulates the corrup-tion ability of A which can capture two-factor security.a) If a = 1, C returns Ui′s long-term password PW to A.Such queries simulate perfect forward secret.b) If a = 2, C returns the long-term private key and othermessages existing in Ui

′s smart gateway. Such queriescan simulate the compromised smart gateway attacks.Correspondingly, the state of the entity that answered theCorrupt-query is called ”corrupted”.

• CorruptServer(IDSj ): This query with the Sj ′s iden-tity IDSj requires C to return the long-term private keyowned by Sj .

• Test(Ui): A can send a Test-query to C about a fresh in-stance (see Definition 5) Ui. At this point, the challengerC answers this query by throwing a fair coin b ∈ {0, 1}:if the coin result is 1, i.e. b = 1, then C returns Ui′ssession key to A; otherwise, C returns a random valueas the same length as the session key in the session keyspace {0, 1}k, where k is the bit length of the sessionkey.

In the second stage of the game, A can continue to makethe above queries on the challenger C, but he/she is limited incertain aspects: on the one hand, he/she can not send Reveal-query to C about the tested participant. On the other hand, Acan not send Corrupt-query to C about the tested participant’spartner.

C. Fresh InstanceDefinition 5: Fresh Instance: We call an instance Ui is

fresh, provided that his/her state is ”accepted”. And he/sheneeds to meet the following four points:

1) It has not been queried by Reveal-query.2) Its partner (if existing) has not been queried by Reveal-

query.3) Either Corrupt(IDUi , 1) or Corrupt(IDUi , 2) is not

queried by A.4) Sj who is U ′is partner has not been corrupted. The

definition of the Fresh Instance contains the situationin which the user instance Ui is corrupted, so the modelcan simulate the key-compromise impersonation (KCI)attacks.

D. Semantic SecurityAfter the above queries, A outputs his/her judgment b′

about the value of b generated in Test-query. If b′ = b, wecall A wins this game or our E-AUA protocol is semanticallyunsecure. Let P and D be our E-AUA protocol and auniformly distributed password dictionary respectively. Wedefine the winning advantage of A as follows:




AdvantageDP (A) = |Pr[b′ = b]− 1/2|

If any polynomial adversary can not win the game with theprobability AdvantageDP (A), then we say our E-AUA protocolis semantically secure. At the same time, we can also sayour E-AUA protocol can achieve two-factor security and resistvarious attacks, such as passive attacks, active attacks, knownkey attacks and KCI attacks (see Definition 5), because thesesecurity attributes are simulated in the above security model.

IV. E-AUA PROTOCOL

In this section, we will present the security objectives andthe core design of our E-AUA protocol, which is based on thesecurity model in Section III. Our E-AUA protocol adopts adual messages mechanism with high security and efficiency.Therefore, our E-AUA protocol can be used in the actual sceneof mobile IoT multi-server architectures, such as driverlesselectric vehicles in VANETs. On the one hand, it can solvethe problem that the traditional slow authentication scheme isno longer suitable for VANETs, due to the rapid movement andlimited power storage of vehicles. On the other hand, it canaddress the problem of network congestion caused by the largenumber of VANETs service requests. Note that in this actualscene, the user and server refer to driverless electric vehicleand RSU respectively, which will make fast authenticationwith each other.

Our E-AUA protocol’s security objectives and architecturewill be firstly presented. And then we will give concretedesign steps of our E-AUA protocol. Finally we will give thecorrectness proof of our protocol.

A. Protocol ObjectivesWe know the state of the art AUA protocol [16] can not

resist offline dictionary attacks and denial of service attacksconcurrently during communications. And the security modelcan not achieve two-factor security. In addition, three rounds ofmessage exchange are employed in the above AUA protocol.Therefore, in order to make mobile IoT communicationsmore secure and effective, the following objectives should beachieved in our E-AUA protocol.

1) Resist various attacks: on the basis of resisting offlinedictionary attacks and denial of service attacks, our E-AUA protocol also has to resist other various stubbornattacks, such as replay attacks, modification attacks aswell as user and server simulation attacks.

2) Achieve various ideal security attributes: on the basis ofachieving two-factor security, our E-AUA protocol alsoneeds to achieve other ideal security attributes, such asmutual authentication between the user and server, useranonymity, un-traceability, perfect forward security, noonline registration center and known-key security.

3) Support formal security verification: to support formalsecurity verification of our E-AUA protocol and ensurethat our security model can capture two-factor securityto resist compromised smart gateway attacks.

4) Use less computation and communication costs: to allowmobile IoT terminal users and servers to conduct mutual

authentication through two rounds of message exchange,which can reduce the communication cost. In addition,to allow the use of online/offline respective-processingmechanism to reduce the computation cost at the userside.

5) Ensure protocol flexibility: to allow that the mobile IoTterminal user can replace the old password with his/hernew password at any time aiming to ensure protocolflexibility and security.

B. Protocol Architecture

Our E-AUA protocol consists of the following six stages:1) Parameters generation2) User registration3) Server registration4) Offline pre-calculation5) Online login and authentication6) Password changeNote that in the offline pre-calculation stage, when the

mobile IoT device is free, the user can use online/offlinerespective-processing mechanism to perform some of oper-ations in advance in the case of unknowing the identity ofthe server. These pre-calculated operations include a scalarmultiplication operation, an exponential operation, and a point-to-point hash operation, which can reduce the computation costat the user side.

C. Protocol Design

In this subsection, we will explain six protocol steps indetail.1) Parameters generation

In this stage, the RC generates two system private keys andthirteen system public parameters by performing the followingsteps:

1) RC selects an addition cyclic group G1 with the primenumber order q, and a multiplication cyclic group G2

with the same order q. In addition, RC chooses an Atebilinear pairing [16] e : G1 × G1 → G2 and selectsa generator P for G1. Afterwards, RC computes g =e(P, P ) and uses g as a generator for G2.

2) RC selects two system private keys τ, τ̂ ∈ Z∗q andcomputes the system public keys gpub = gτ and Ppub =τ̂ · P .

3) RC selects four general secure hash functions: h0 :{0, 1}∗ → Z∗q , h1 : {0, 1}∗ × G1 → Z∗q , h2 : G1 ×G2 × G2 → Z∗q , h3 : {0, 1}∗ × {0, 1}∗ × G2 × G2 ×G2 → Z∗q and one secure point-to-point hash function:H : {0, 1}∗ → G1.

We say that for any hash function, there is no probabilisticpolynomial time (PPT) adversary being able to output twodifferent strings m1,m2 to make hi(m1) = hi(m2), i =0, 1, 2, 3 or H(m1) = H(m2).2) User registration

At this stage, the user Ui sends his/her identity to RCfor registering and receives the returned private key using asecure channel, which can resist overhearing and tampering.




The specific registration steps are as followed between Ui andRC.

1) Ui randomly chooses his/her identity IDUi , his/herpassword PWUi and a random number bUi ∈ Z∗q , andthen sends the message {IDUi , h0(IDUi , PWUi , bUi)}to the RC using a secure channel. The valueh0(IDUi , PWUi , bUi) can be treated as a key for sym-metric encryption algorithm. In addition, the passwordPWUi is of 8 characters and is generated randomly bysystem. We choose to replace the four characters in itaiming to make the password more memorable, whileensuring high security against offline dictionary attacks.

2) When the RC receives the message sent by theuser Ui, it first computes the user’s private keyskA = τ̂ · H(IDUi). It then uses the symmetric keyh0(IDUi , PWUi , bUi) to encrypt the user’s private keyskA to get the ciphertext ψUi , where ψUi = skA ⊕h0(IDUi , PWUi , bUi). Next, the RC computes vUi =h1(h0(IDUi , PWUi , bUi), ψUi), which will be stored inthe smart gateway to verify user legitimacy. Finally, RCsends the response message {ψUi , vUi} to the user usinga secure channel. Note that in the above process, thesystem private key τ̂ is used to construct the user’sprivate key skA , but it is secure. Even if an attackerobtains the user’s private key skA and the identity IDUi ,he/she can not calculate the system private key τ̂ fromskA = τ̂ ·H(IDUi), because the DL problem is hard.

3) When the user receives the response message, he/shestores the message {ψUi , vUi , bUi} to his/her smart gate-way and completes user registration.

3) Server registrationIn this stage, the server Sj sends its identity to RC for

registration to receive the private key using a secure channel,which can resist overhearing and tampering. The specificregistration steps are as followed between Sj and RC.

1) Sj randomly chooses its identity IDSj and sends it tothe RC using a secure channel.

2) When the RC gets the message sent by the server Sj , itcalculates DSj = 1

τ̂+h0(IDSj )·P and sends the server’s

private key DSj to the server using a secure channel.Note that the system private key τ̂ is used to constructthe server’s private key Dsj , but it is secure. Even if anattacker obtains the server’s private key Dsj and knowsthe server’s identity IDSj , he/she can not calculate thesystem private key τ̂ from DSj = 1

τ̂+h0(IDSj )·P before

the server’s private key DSj expires [16] .3) When the server receives the response message, it stores

the message DSj secretly and completes server registra-tion.

4) Offline pre-calculationIn this stage, the user performs some operations offline in

the case of not knowing the identity of the server and storescorresponding results into smart gateway in order to preparefor the online login and authentication stage. The specific stepsare as followed.

1) The user generates three random numbers rUi ∈ Z∗n, β ∈Z∗q and γ ∈ Z∗q , and then computes RUi

′ = rUi(βP +

Ppub), x = grUi , W = rUiγP and H = H(IDUi).2) The user stores the results {β, γ,RUi

′, x,W,H} intosmart gateway and completes the offline pre-calculationstage. Note that the values {β, γ,RUi

′, x,W,H} areall intermediate values, which are used to prepare forthe online login and authentication stage to reducecomputation cost.

5) Online login and authenticationIn this stage, the user Ui logs into the server Sj and conducts

mutual authentication with Sj . They eventually negotiate ashared session key for subsequent secure communication. Thisstage depends on the results generated in the offline pre-calculation stage. The specific authentication process is carriedout by Ui and Sj as follows.

1) The user Ui inputs his/her identity IDUi

and his/her password PWUi , and then thesmart gateway checks whether the equationvUi = h1(h0(IDUi , PWUi , bUi), ψUi) is true ornot. The smart gateway can effectively authenticatea user by using the messages {ψUi , vUi , bUi} storedin it and the identity and password entered by theuser, without storing the user’s identity and passwordexplicitly. Note in the VANETs scenario, the user entershis/her identity and password through the human-computer interaction module. If the above equationdoes not holds, the smart gateway can determine thatthe user’s identity and password are not legitimateand stop the request. Otherwise, the user calculatesη = γ−1(h0(IDSj ) − β) mod q, RUi = RUi

′ + ηW ,skA = ψUi ⊕ h0(IDUi , PWUi , bUi), a =RUi + skA +H ·h0(IDSj ), κ = T1 +h0(IDSj , IDUi),and b = Enc(IDUi). Specifically, in these equations,the values η, RUi , and skA are all intermediate valuesin order to compute a = RUi + skA + H · h0(IDSj ),where the decryption key h0(IDUi , PWUi , bUi) isused to get the user’s private key skA. In addition,the value of a can not only help the server calculatethe value of x, but also verify the validity of theuser’s identity during the calculation process. T1 is thecurrent timestamp at the user side, which is protectedby the value of κ. And Enc(·) is an AES symmetricencryption algorithm to achieve user anonymity (Notethat we can use other common symmetric encryptionalgorithms including DES, 3DES, RC2 and RC4. Weuse AES symmetric encryption algorithm in this paperdue to its high security and efficiency.). Finally, theuser sends the message {a, κ, b} to the server.

2) Once the server receives the message from the user, itfirst calculates IDUi = Dec(b) to get the user’s identity,where Dec(·) is an AES symmetric decryption algo-rithm, and then it calculates T1 = κ− h0(IDSj , IDUi)and determines whether T1 is valid. During the valid-ity check of T1, the server first calculates the actualtime interval ∆t between the time T2 and T1, whereT2 is the current time at the server side and ∆t =T2 − T1. And then, the server determines whether thistime interval ∆t is within a preset time interval. If




not, it indicates that the message sent by the userhas expired or the attacker is performing a maliciousattack, so the server stops the request. Otherwise, theserver generates a random number rSj ∈ Z∗n, andcalculates x = e(a,DSj )/e(H(IDUi), P ), y = grSj ,αSj = h2(a, x, y), and the shared session key: K =h3(IDUi , IDSj , x, y, x

rSj ). At last, the server respondsto Ui with the message {y, αSj}. Note in this paper,we presume that the clock synchronization among par-ticipants is guaranteed using existing synchronizationtechniques as in [22]- [24].

3) The user checks whether the equation αSj = h2(a, x, y)holds as soon as he/she receives the server’s responsemessage. If so, it shows that the values of a and y are nottampered during their transmission. In addition, it alsoshows that the server can correctly calculate the value ofx and prove the legitimacy of the user’s identity duringthe calculation process. Finally, the user calculates theshared session key K = h3(IDUi , IDSj , x, y, y

rUi ).However, if the above equation does not hold, the userrejects the session.

At this stage, the server can effectively calculate the time in-terval ∆t between sending and receiving the message {a, κ, b}.Once this time interval ∆t exceeds a preset time interval, itshows that the received message is invalid. Then, the serverwill give up the connection with the user. Therefore, theserver can achieve efficient authentication for the users, whichdoes not require a significant amount of time and computerresources, due to the lightweight calculations and short presettime interval. In addition, the user can also authenticate theserver efficiently by a secure hash function h2. However, whenthe server determines that the received message is valid andsends back a confirmation message, the user may deny theserver’s response. In this case, the server will not wait for theuser to send data all the time, but wait for a certain period oftime depending on the network situation before giving up theconnection.

Note that although we save one round of communication atthis stage, our E-AUA protocol is still highly secure againstpotential threats and detailed proofs can be found in Section V.6) Password change

At this stage, the user replaces his/her original passwordPWUi with the new one PW

′

Ui. The specific password change

steps are as followed between Ui and smart gateway.

1) The system first generates a 8 characters passwordrandomly by a dictionary password generator. And then,in order to make the password more memorable, wereplace the four characters in it to get a new passwordPW

′

Ui. At last, the user inputs his/her identity IDUi ,

original password PWUi and new password PW′

Uiinto

the smart gateway.2) When the smart gateway receives the messages from

the user, it first checks whether the equation vUi =h1(h0(IDUi , PWUi , bUi), ψUi) is true. If so, it statesthat the user is legal. Then the smart gateway choosesa random number b

′

Ui∈ Z∗q , and computes ψ

′

Ui=

ψUi ⊕ h0(IDUi , PWU i , bUi) ⊕ h0(IDUi , PW′

Ui, b

′

Ui)

and v′

Ui= h1(h0(IDUi , PW

′

Ui, b

′

Ui), ψ

′

Ui). Finally,

the smart gateway replaces {ψUi,vUi , bUi} with

{ψ′

Ui, v

′

Ui, b

′

Ui}. Otherwise, smart gateway refuses the

request. PW′

Ui

D. Protocol Correctness ProofIn this part, we will demonstrate our E-AUA protocol is

correct, that is, the following two equations 1)2) hold:

1) RUi= rUi

(Ppub + h0(IDSj) · P )

PROOF.RUi = RUi

′ + ηW

= rUi (βP + Ppub) + rUiγP · γ−1(h0(IDSj )− β) mod q

= rUiβP + rUiPpub + rUiγP · γ−1h0(IDSj ) − rUiγP · γ

−1β

= rUiPpub + rUiP · h0(IDSj )

= rUi (Ppub + h0(IDSj ) · P )

where RUi = RUi′ + ηW , RUi

′ = rUi(βP + Ppub),η = γ−1(h0(IDSj )− β) mod q, and W = rUiγP .

2) e(a,DSj)/e(H(IDUi

), P ) = x

PROOF.e(a,DSj )/e(H(IDUi ), P )

= e((RUi + skA +H(IDUi )h0(IDSj )), DSj )/e(H(IDUi ), P )

= e(RUi , DSj )e((skA +H(IDUi )h0(IDSj )), DSj )

/e(H(IDUi ), P )

= e(RUi , DSj )e((h0(IDSj ) + τ̂)H(IDUi ),1

h0(IDSj ) + τ̂· P )

/e(H(IDUi ), P )

= e(RUi , DSj )

= e(rUi · (Ppub + h0(IDSj ) · P ),1

τ̂ + h0(IDSj )· P )

= e(rUi · (τ̂ · P + h0(IDSj ) · P ),1

τ̂ + h0(IDSj )· P )

= e(P, P )rUi ·(τ̂+h0(IDSj ))·

1τ̂+h0(IDSj

)

= e(P, P )rUi

= grUi

= x

where a = RUi + skA + H · h0(IDSj ), H = H(IDUi),skA = τ̂ · H(IDUi), Dsj=

1τ̂+h0(IDsj)

· P , andRUi = rUi(Ppub + h0(IDSj )P ).

At this point, our E-AUA protocol has been proved to becorrect.

V. SECURITY EVALUATION

In this section, we first use simulation to prove the securityof our protocol. Then, we will make a security comparisonbetween our E-AUA protocol and the state of the art AUAprotocols [16] [25] [26], and analyze how our E-AUA protocolsatisfies the ideal security attributes for mobile IoT communi-cation.




A. Proof of Security

In this subsection, we will evaluate whether our E-AUAprotocol is secure by proving the following theorem:THEOREM 1. Any polynomial adversary can not win thegame with the following probability AdvantageDP (A) whereAdvantageDP (A) is ignorable:

AdvantageDP (A) ≤ AdvantageAESEnc(·)(t) +(qsend + qexe)

2

2q+

(3∑i=0

qhi)

2

2q+

qH2

2q+

qsendq

+qsend|Dic|+

(

3∑i=0

qhi + qH) ·AdvantageCDHG2·

(t+ (qsend + qexe + 1) · texp)

For convenience, we make the following symbols:• G2: a multiplication cycle group

• D: a uniformly distributed password dictionary

• A: an adversary against our E-AUA protocol• C: as explained in the SECURITY MODEL as the

challenger• b: a random number which can be 0 or 1

• AdvantageAESEnc(·): the advantage that any PPT adversaryis against AES symmetric encryption Enc(·)

• AdvantageCDHG2: the advantage that any PPT adversary

solves an instance of CDH problem in G2

• t: the expected running time by A• qsend: the number of Send-queries

• qexe: the number of Execute-queries

• qhi : the number of hi − queries, where i=0, 1, 2, 3

•3∑i=0

qhi : the total number of h− queries (i.e., four hash

queries)

• qH : the number of H−queries (i.e., point-to-point HashFunction Queries)

• q: the prime number order in the group G1 and G2

• |Dic|: the cardinality of the dictionary

• texp : the exponential operation time in G2

We designed the following simulations to prove the correct-ness of our protocol:1.) Simulation of hi(mi) and H(M):• On a hi(mi) or hi′(mi) query, C checks if a record

(mi, vi) appears in the list Lhi or Lhi′ . If it appears,C returns vi to A; otherwise, C selects a random numbervi ∈ Z∗q , adds the record (mi, vi) into Lhi or Lhi′ andreturns vi to A.

• On a H(M) query, C checks if a record (M,V ) appearsin the list LH . If it appears, C returns V to A; otherwise,C selects a random number V ∈ Z∗q , adds the record(M,V ) into LH and returns V to A.

2.) Simulation of Send-query:• When C receives the query Send(Ui, start), assuming Ui

is in the correct state, C performs as follows: Choose therandom elements rUi ∈ Z∗n, β ∈ Z∗q , γ ∈ Z∗q and com-pute RUi

′ = rUi(βP + Ppub), x = grUi , W = rUiγP ,H = H(IDUi), η = γ−1(h0(IDSj )− β) mod q, RUi =RUi

′ + ηW , skA = ψUi ⊕ h0(IDUi , PWUi , bUi), a =RUi + skA +H · h0(IDSj ), κ = T1 + h0(IDSj , IDUi),and b = Enc(IDUi). Then the query is answered with{a, κ, b}.

• When C receives the query Send(Sj , (a, κ, b)), assumingSj is in the correct state, C performs as follows: ComputeIDUi = Dec(b), choose a random element rSj ∈ Z∗nand compute x = e(a,DSj )/e(H(IDUi), P ), y = grSj

, αSj =h2(a, x, y) and K = h3(IDUi , IDSj , x, y, xrSj ).

Then the query is answered with {y, αSj}.• When C receives the query Send(Ui, (y, αSj )), assumingUi is in the correct state, C performs as follows: Cchecks whether αSj and h2(a, x, y) are equal. If not,C terminates the game without accepting. Otherwise, Ccomputes K = h3(IDUi , IDSj , x, y, y

rUi ).3.) Simulation of Extract-query:• When C receives the query ExtractUser(IDUi), C

performs as follows: C checks if a record (IDUi , skA)appears in the list LUK . If so, C sends IDUi to A; other-wise, C computes τ̂ ·H(IDUi), sets skA =

_τ ·H(IDUi)

and stores (IDUi , skA) and (IDUi , H(IDUi)) into LUKand LH respectively. Then C sends IDUi to A.

• When C receives the query ExtractServer(IDSj ), Cperforms as follows: C checks if a record (IDSj , DSj )appears in the list LSK . If so, C sends IDSj

to A; otherwise, C computes 1τ̂+h0(IDsj)

· P , setsDsj ← 1

τ̂+h0(IDsj)· P and stores (IDsj , Dsj) and

(IDsj , h0(IDsj)) into LSK and Lh0

respectively. ThenC returns IDSj to A.

4.) Simulation of Execute, Reveal, CorruptUser, Corrupt-Server and Test queries:• When C receives the query Execute (Ui, Sj), C performs

as follows:

(a, κ, b)← Send(Ui, start)

(y, αSj )← Send(Sj , (a, κ, b))

The query is answered with the transcript((a, κ, b), (y, αSj )).

• When C receives the query Reveal(Ui), C performs asfollows: If the state of Ui is ”accepted”, then C returnsthe U ′is session key to A.

• When C receives the query CorruptUser(Ui, a), C per-forms as follows: If a = 1, C answers the query with Ui′slong-term password PW. If a = 2, C answers the querywith {ψUi , vUi , bUi} stored in Ui′s smart gateway.

• When C receives the query CorruptServer(IDSj ), Cperforms as follows: C answers the query with Sj ′s long-term private key Dsj .

• When C receives the query Test(Ui), C performs asfollows: C answers this query by throwing a fair coin




b ∈ {0, 1}. If b = 1, then C returns the session key gottenfrom Reveal(Ui) to A; otherwise, C returns a randomvalue with the same length.

We defined a series of mixed experiments from Experiment0to Experiment5. Among them, Experiment0 corresponds tothe actual attack. For each Experimentm, where m = 0, 1, 2,3, 4, we defined an event Esuccm representing the case whereA guesses the value of b correctly related to Test-query.

Experiment0: This experiment corresponds tothe actual attack. By definition, we can easily getAdvantageDP (A) = |Pr[Esucc0 ] − 1/2|. If we make∆i denote the difference in success probability betweenExperimenti and Experimenti+1, then we can come tothe following conclusion:

AdvantageDP (A)

= |Pr[Esucc0 ]− 1/2|= |Pr[Esuccm ]− 1/2 + (Pr[Esucc0 ]− Pr[Esuccm ])|

≤ |Pr[Esuccm ]− 1/2 +m−1∑i=0

∆i|

Experiment1: In this experiment, we used all the queriesin the four simulations at the beginning of this section, whichcontain hi(mi), hi′(mi), H(M), Send, ExtractUser, Extract-Server, Execute, Reveal, CorruptUser, CorruptServer, and Testqueries, where i = 0, 1, 2, 3. The hi′(mi) query will appear inthe experiment Experiment4 used as h3′(IDUi , IDSj , x, y)specifically. The identity IDUi of the user is protected byb in the process of transmitting. However, once the adver-sary distinguishes the plain text IDUi in the cipher text b,he/she can break the symmetric key algorithm Enc(·), so wecan get the following inequality to be established: |∆0| ≤AdvantageAESEnc(·)(t).Experiment2: In this experiment, we simulated all the

queries as in the Experiment1. Once the transcript of themessages {{a, κ, b}, {y, αSj}} or the output of hash queriescollides, we stop the above simulation executions. Accordingto the birthday paradox [27], the maximum collision proba-bility in the transcript of the messages {{a, κ, b}, {y, αSj}} is(qsend+qexe)

2

2q , where q indicates the prime number order in thegroup G1 and G2. Similarly, the collision probability in the

output of hash queries is at most(

3∑i=0

qhi )2

2q + qH2

2q . Therefore,

we can draw the conclusion |∆1| ≤ (qsend+qexe)2

2q +(

3∑i=0

qhi )2

2q +qH

2

2q .Experiment3: In this experiment, once the adversary A

correctly guesses the values of κ and αSj (for authentication)correctly, we stop executing. We know only if the useror server rejects a valid authentication value, otherwise theExperiment2 and Experiment3 are indistinguishable. Tothis end, we can draw the conclusion |∆2| ≤ qsend

q .Experiment4: In this experiment, we allowed A to

get the session key K = h3′(IDUi , IDSj , x, y) from the

Execution-query, which is calculated by the private hashfunction h3

′ instead of the original hash function h3, thusthe session key K is independent of h3 and yrUi (xrSj ). Weknow unless the following event Eexp4

appears, Experiment3and Experiment4 are indistinguishable: the event is thatA makes a h3 − query on (IDUi , IDSj , x, y, y

rUi ) or(IDUi , IDSj , x, y, x

rSj ) to C in Experiment4. In addition,since the choice of b in the Test-query is random and inde-pendent among all the sessions, therefore, |∆3| ≤ Pr[Eexp4

]and Pr[Esucc4 ] = 1

2 .Experiment5: In this experiment, we used CDH prob-

lem to simulate the executions. Given a CDH instance(A, B), we selected α, β ∈ Z∗q randomly and calculatedx = Aα, y = Bβ . Similarly, the event Eexp5

denotesthat A makes a h3 − query on (IDUi , IDSj , x, y, y

rUi )or (IDUi , IDSj , x, y, x

rSj ) to C in Experiment5 beingthe same as Eexp4

in Experiment4, where yrUi (xrSj ) =CDH(x, y), and we can draw the conclusion Pr[Eexp4

] =Pr[Eexp5

]. Thus, we have:CDH(x, y) = CDH(Aα, Bβ) = CDH(A,B)αβ

If the CorruptUser(Ui, 2) query has been issued, it meansthat the CorruptUser(Ui, 1) query about the Ui′s passwordcan not be made. Therefore, A can only test a password ineach transcript: qsend/|Dic|, then we can draw:

Pr[Eexp5] ≤qsend|Dic|

+ (3∑i=0

qhi + qH)

AdvantageCDHG2(t+ (qsend + qexe + 1) · texp)

Based on all the above information, we can get an inequalityas follows:

AdvantageDP (A) ≤ |Pr[Esucc4 ]− 1/2 +

4−1∑i=0

∆i|

= |Pr[Esucc4 ]− 1/2 + (∆0 + ∆1 + ∆2 + ∆3)|

≤ AdvantageAESEnc(·)(t) + ((qsend + qexe)

2

2q+

(3∑i=0

qhi )2

2q+qH

2

2q) +

qsend

q+ Pr[Eexp4

]

≤ AdvantageAESEnc(·)(t) + ((qsend + qexe)

2

2q+

(3∑i=0

qhi )2

2q+qH

2

2q) +

qsend

q+ [

qsend

|Dic|+

(3∑i=0

qhi + qH) ·AdvantageCDHG2·

(t+ (qsend + qexe + 1) · texp)]

The result is the same as the THEOREM 1. thus provingour protocol is secure.

B. Security Attributes Comparisons and Analysis

In this subsection, various security attributes [29]- [31] arecompared between our E-AUA protocol and the state of theart AUA protocols [16] [25] [26]. The results in Table II




TABLE II: Security attributes comparisons

Security Attributes [39] [40] [41] E-AUA

Offline Dictionary Attack N N N YDenial of Service Attack N N N Y

Two-Factor Security Y Y Y YMutual Authentication Y Y Y Y

User Anonymity Y N Y YUn-traceability N Y Y Y

Perfect Forward Secrecy Y Y Y YNo Online Registration Center Y Y Y Y

Known-key Security Y Y Y YReplay Attack Y Y Y Y

Modification Attack Y Y Y YUser and Server Simulation

AttacksY N Y Y

show that our E-AUA protocol has higher security coveragecompared with the state of the art protocols. For instance,Liao et al.’s protocol [25] needs to update the server’s ID tablecontinuously and can not achieve un-traceability. Hsieh et al.’sprotocol [26] can not resist offline dictionary attacks and serversimulation attacks, and can not provide user anonymity. He etal.’s protocol [16] can not resist offline dictionary attacks anddenial of service attacks. Therefore, our E-AUA protocol canbe well applied to the mobile IoT communications due to itshigh security. The specific security attributes of our E-AUAprotocol are analyzed as follows.

Note that the security attributes analysis is based on theCDH and DL problems, and the assumptions that any mes-sage transmitted in the open channel can be eavesdropped,modified, inserted and deleted by an active adversary.

VI. PERFORMANCE EVALUATION

Driverless electric vehicles using smart gateways are one ofthe emerging applications for mobile IoT. When the vehiclesenter VANETs, in order to cross the intersection at high speed,they must make fast mutual authentication with RSUs. Notethat the driverless electric vehicles and RSUs refer to the usersand servers respectively. Since our E-AUA protocol can bewell applied in mobile IoT including the above scenario, weconducted a simulation of driverless electric vehicle scenarioto evaluate the computation and communication costs of ourE-AUA protocol and compared them with the state of theart AUA protocols [16] [25] [26]. The specific experimentalprocess is as followed.

A. Analysis of Computation CostOur E-AUA protocol involves various operations, including

scalar multiplication operation, general hash operation whichis sha-1 algorithm specifically, point addition operation, XORoperation, add-multi1 operation, general addition operation,multiplication operation, division operation, exponentiationoperation, point-to-point hash operation, bilinear pairing op-eration and symmetric encryption/decryption (eg: AES-256)operation. Note that there is an add-multi2 operation that willappear in the protocol [16]. For convenience, we represent theexecution time of each operation as the corresponding symbolsshown in Table III. In order to calculate the total executiontime of our E-AUA protocol and compare it with the state

TABLE III: The execution time representation of each opera-tion (millisecond)

Time repre-sentation

Various operations The time atthe user

side

The time atthe server

side

Tsm Scalar multiplication inG1

106.2339 35.0444

Th Hash 0.2887 0.0249Tpa Point addition in G1 2.9391 0.3343Txor XOR 0.0089 0.0008

Taddmul1 Add-multi in E-AUA 0.0286 0.003Taddmul2 Add-multi in He et

al.’s protocol0.016 0.0015

Tadd Addition 0.0068 0.0005Tmul Multiplication in G2 0.0246 0.0038Tdiv Division in G2 0.1242 0.0123Texp Exponentiation in G2 22.6778 2.6735TH Point-to-point hash in

G1

159.9495 16.8731

Tbp Bilinear pairing 432.1529 45.4788TAES Block

encryption/decryption0.3562 0.0211

Fig. 2: The average time of various operations at server end.

of the art AUA protocols [16] [25] [26], we performed theabove operations on a mobile device and a personal computerrespectively. Specifically, we used the mobile device which isMI5 with a Quad-core 2.15GHz processor, 4.00GB memory,Android 7.0 OS, and the personal computer which is Dellwith Intel(R) Core(TM) i7-3390 CPU @ 3.60GHz 3.60GHz,8.00GB memory and the Window8 64bit OS. In addition, weused both python-ate-bilinear-pairing 0.6 library and PyECClibrary to record the execution time of various operations. Inour experiments, we denote the mobile device and personalcomputer as the driverless electric vehicle (the user) and RSU(the server) respectively. In order to ensure the accuracy, weperformed 10 times for each operation and took the average asthe last execution time. The average time of various operationsis shown in TableIII both for the user end and the server end,and the corresponding graphical representations are shown inFig. 2 and Fig. 3 respectively. Note that in order to savespace, the average time of symmetric encryption/decryptionalgorithm is not shown in the figures.

Next, we calculate the total execution time of our E-AUAprotocol and the state of the art AUA protocols [16] [25] [26]respectively and compare them.

When the Liao et al.’s protocol [25] is executed, the usercomputes six types of operations: one point-to-point hash, one




Fig. 3: The average time of various operations at user end.

point addition, seven scalar multiplication, five hash, one XOR, and one addition operations. Therefore, the total computationtime at user end is about TH + Tpa + 7Tsm + 5Th + Txor +Tadd ≈ 907.9851 milliseconds. Similarly, the server needsto compute four types of operations: two bilinear pairing,one point addition, five scalar multiplication and two hashoperations. Therefore, the total computation time at server endis about 2Tbp + Tpa + 5Tsm + 2Th ≈ 266.5637 milliseconds.

When the Hsieh et al.’s protocol [26] is executed, the usercomputes six types of operations: one point-to-point hash, onepoint addition, seven scalar multiplication, six hash, one XOR, and one addition operations. Therefore, the total computationtime at user end is about TH + Tpa + 7Tsm + 6Th + Txor +Tadd ≈ 908.2738 milliseconds. Similarly, the server computesfive types of operations: one point-to-point hash, two bilinearpairing, one point addition, four hash and five scalar multi-plication operations. Therefore, the total computation time atserver end is about TH+2Tbp+Tpa+4Th+5Tsm ≈ 283.4866milliseconds.

When the He et al.’s protocol [16] is executed, the usercomputes six types of operations: two exponentiation, twoscalar multiplication, one point addition, two XOR, eighthash, and one add-multi Taddmul2 operations. Therefore, thetotal computation time at user end is about 2Texp + 2Tsm +Tpa + 2Txor + 8Th + Taddmul2 ≈ 263.1059 milliseconds.Similarly, the server needs to compute five types of opera-tions: four exponentiation, one bilinear pairing, five hash, twomultiplication, and one XOR operations. Therefore, the totalcomputation time at server end is about 4Texp + Tbp + 5Th +2Tmul + Txor ≈ 56.3057 milliseconds.

When our E-AUA protocol is executed, the user computessix types of operations: two scalar multiplication, three pointaddition, one exponentiation, one add-multi Taddmul1, six hashand one symmetric encryption operations. Therefore, the totalcomputation time at user end is about 2Tsm + 3Tpa + Texp +Taddmul1 + 6Th + TAES ≈ 246.0799 milliseconds in ourE-AUA protocol. Similarly, the server computes seven typesof operations: two bilinear pairing, two exponentiation, onepoint-to-point hash, one division, three hash, one addition,and one symmetric decryption operations. Therefore, the totalcomputation time at server end is about 2Tbp + 2Texp +TH +Tdiv + 3Th + Tadd + TAES ≈ 113.2863 milliseconds in ourE-AUA protocol.

TABLE IV: Computation cost comparisons (millisecond) at theserver side

Protocol Server

Ref. [25] 2Tbp + Tpa + 5Tsm + 2Th ≈ 266.5637Ref. [26] TH + 2Tbp + Tpa + 4Th + 5Tsm ≈ 283.4866Ref. [16] 4Texp + Tbp + 5Th + 2Tmul + Txor ≈ 56.3057E-AUA 2Tbp + 2Texp + TH + Tdiv + 3Th + Tadd + TAES ≈

113.2863

TABLE V: Computation cost comparisons (millisecond) at theuser side

Protocol User

Ref. [25] TH + Tpa + 7Tsm + 5Th + Txor + Tadd ≈ 907.9851Ref. [26] TH + Tpa + 7Tsm + 6Th + Txor + Tadd ≈ 908.2738Ref. [16] 2Texp + 2Tsm + Tpa + 2Txor + 8Th + Taddmul2 ≈

263.1059E-AUA 2Tsm + 3Tpa + Texp + Taddmul1 + 6Th + TAES ≈

246.0799

Fig. 4: Computation cost comparisons.

Our E-AUA protocol is compared with the state of the artAUA protocols [16] [25] [26] in terms of computation costsat user and server sides. The result shown in Table IV, TableV and Fig. 9 demonstrates our computation cost is lower thanthe state of the art three AUA protocols at the user side.

B. Analysis of Communication Cost

To ensure the security of our E-AUA protocol, we utilize thesecurity level of 1024 bits RSA algorithm. In our experiment,we choose an Ate pairing e :G1 × G1 → G2, where G1

is an addition cycle group with a 160 bits prime order q.The elements in G1 are generated by the points on the supersingular elliptic curve. The curve is defined as E(Fp) : y2 =x3 + 1 on a finite field, where p is a prime number of 512bits. G2 is a multiplication group with the same order q. Insummary, we can conclude that the element in G1 or G2 is1024 bits in size, and the element in Z∗q or the output lengthof general hash function, is 160 bits in size. In order to resistoffline dictionary attacks, a 8 characters 64 bits password isconsidered in our E-AUA protocol, and then we assume thatthe identity of user is 32 bits length. The user’s identity is usedas an input to the symmetric encryption/decryption algorithm




(eg: AES-256), and then we assume that the output length ofthe AES algorithm is 256 bits. After having the above values,the communicational cost of related protocols is counted infour stages, which are specifically the user registration, serverregistration, login and authentication (Note that it refers to theonline login and authentication stage in our E-AUA protocol)and password change stages respectively. The analysis processis shown below.

Our E-AUA protocol

1) user registration:In this stage, the user sends a register message{IDUi , h0(IDUi , PWUi , bUi)} to the RC, and theRC responds to a message {ψUi , vUi} to the user.In these two transmitted messages, ψUi ∈ G1,vUi , h0(IDUi , PWUi , bUi) ∈ Z∗q and the user’s identityIDUi is 32 bits in length. Therefore, the communica-tional cost in this stage is 1024 + 160× 2 + 32 = 1376bits. Similarly, the communication costs of Liao et al.’sprotocol [25], Hsieh et al.’s protocol [26], and He etal.’s protocol [16] are 2112 bits, 4096 bits and 1536 bitsrespectively.

2) server registration:In this stage, the server and RC send messages IDSj andDsj respectively to each other, where Dsj ∈ G1 and theserver’s identity IDSj is 32 bits in length. Therefore, thecommunicational cost in this stage is 32 + 1024 = 1056bits. Similarly, the communication costs of Liao et al.’sprotocol [25], Hsieh et al.’s protocol [26], and He etal.’s protocol [16] are 2240 bits, 2240 bits and 1056 bitsrespectively.

3) online login and authentication:In this stage, there are two rounds of message ex-change. The user and server send messages {a, κ, b}and {y, αSj} to the other party respectively, wherea, y ∈ G1, κ, αSj ∈ Z∗q and the length of b is 256bits. Therefore, the communicational cost in this stageis 1024 × 2 + 160 × 2 + 256 = 2624 bits. Similarly,the communication costs of Liao et al.’s protocol [25],Hsieh et al.’s protocol [26], and He et al.’s protocol [16]are 5472 bits, 7488 bits and 3424 bits respectively.

4) password change:In this stage, the user sends the message{IDUi , PWUi , PW

∗Ui} to the RS, where IDUi

is 32 bits length and both PWUi , PW∗Ui

are 8-characters passwords which are 64 bits. Therefore, thecommunicational cost in this stage is 32+64×2 = 160bits. Similarly, the communication costs of Liao et al.’sprotocol [25], Hsieh et al.’s protocol [26], and He etal.’s protocol [16] are 4448 bits, 3232 bits and 160 bitsrespectively.

To sum up, the overall communication cost spent by ourE-AUA protocol is 1376 + 1056 + 2624 + 160 = 5216bits. Similarly, the total communication costs of Liao etal.’s protocol [25], Hsieh et al.’s protocol [26], and He etal.’s protocol [16] are 14272 bits, 17056 bits and 6176 bitsrespectively.

In summary, we have conducted communication cost statis-

Fig. 5: The communication cost comparisons of differentprotocols in four phases.

tics on each protocol for four different stages. In Liao et al.’sprotocol [25], the communication costs of four stages are 2112bits, 2240 bits, 5472 bits and 4448 bits respectively, and thetotal communication cost is 14272 bits. The communicationcosts of four stages in Hsieh et al.’s protocol [26] are 4096bits, 2240 bits, 7488 bits and 3232 bits respectively, thusthe total communication cost is 17056 bits. He et al.’s [16]protocol needs 1536 bits, 1056 bits, 3424 bits and 160 bitscommunication costs in four stages respectively, so the totalcommunication cost is 6176 bits. At last, in our E-AUAprotocol, the communication costs of four different stages areonly 1376 bits, 1056 bits, 2624 bits and 160 bits respectively.Therefore, only 5216 bits communication cost is neededtotally in our E-AUA protocol. Fig. 5 shows the comparisonof communication costs of four stages between our E-AUAprotocol and the state of the art protocols [16] [25] [26]. Andin Fig. 6, we list the total communication cost comparisonbetween our E-AUA protocol and the benchmark protocols.Both results show that our E-AUA protocol is lower thanthe benchmark protocols in terms of communication cost,whether from the overall communication cost or four differentstages. Specifically, compared to He et al.’s protocol, thecommunication costs of our E-AUA protocol are 160 bits and800 bits lower than theirs in user registration and online loginand authentication stages respectively. Simultaneously, our E-AUA protocol needs 960 bits lower than He et al.’s protocolin total communication cost, which shows that our E-AUAprotocol has the best performance in terms of communicationcost in the above four protocols.

In conclusion, our E-AUA protocol is a fast authenticationscheme which can be well applied to mobile IoT multi-serverarchitecture, especially ideal for the VANETs scenario wherevehicles have rapid movements, constrained by power storage,and with large number of mobile IoT service requests.

VII. CONCLUSION AND FUTURE WORKS

In this paper, to ensure the security and efficiency of mobileIoT communications, we proposed a substantially efficient E-AUA protocol, which is an identity-based SCPKC schemewithout the online registration center. Compared with the stateof the art, our E-AUA protocol can resist various stubborn




Fig. 6: The total communication cost comparisons of differentprotocols.

attacks such as the offline dictionary attacks and denial ofservice attacks, while achieving other various ideal securityattributes for mobile IoT applications. We also explainedour security model and proved the security of our E-AUAprotocol within the model. In addition, we evaluated our E-AUA protocol, showing that both computational and commu-nication overheads remain low at the user side. Specifically,our computational and communication overheads at the userside are satisfactory with a decrease of 17.026 millisecondsand 960 bits respectively when comparing with the state ofthe art AUA protocols. The experimental results show our E-AUA protocol is more suitable for deployment in mobile IoTcommunications.

On a separate regard, although we reduced the computationcost at the user side, the computation cost at the server sideincreased, but the results are within our acceptable rangeconsidering the aim is to reduce both communication andcomputation costs for mobile IoT clients. In order to furtheroptimize our E-AUA protocol, we still intend to improve thecomputational efficiency at the server side in the future.

REFERENCES

[1] Tahir Y, Yang S, Mccann J A, ”BRPL: Backpressure RPL for High-throughput and mobile IoTs,” IEEE T MOBILE COMPUT, PP(99):1-1,2017.

[2] Wang S, Yao N, ”LIAP: A local identity-based anonymous messageauthentication protocol in VANETs,” COMPUT COMMUN, 112:154-164, 2017.

[3] Jiang S, Zhu X, Wang L, ”An Efficient Anonymous Batch AuthenticationScheme Based on HMAC for VANETs,” IEEE T INTELL TRANSP,17(8):2193-2204, 2016.

[4] Matta V, Mauro M D, Longo M, ”DDoS Attacks with RandomizedTraffic Innovation: Botnet Identification Challenges and Strategies,”IEEE T INF FOREN SEC, PP(99):1-1, 2016.

[5] Xiong Q, Liang Y C, Li K H, et al., ”Secure Transmission AgainstPilot Spoofing Attack: A Two-Way Training-Based Scheme,” IEEE TINF FOREN SEC, 11(5):1017-1026, 2016.

[6] Jian Shen, Tianqi Zhou, Xiaofeng Chen, Jin Li, Willy Susilo, ”Anony-mous and Traceable Group Data Sharing in Cloud Computing”, IEEET INF FOREN SEC, 13(4): 912-925, 2018.

[7] W.-J. Tsaur, J.-H. Li, and W.-B. Lee, ”An efficient and secure multiserverauthentication scheme with key agreement,” J SYST SOFTWARE, vol.85, no. 4, pp. 876-882, 2012.

[8] Saxena N, Chaudhari N S, ”EasySMS: A Protocol for End-to-End SecureTransmission of SMS,” IEEE T INF FOREN SEC, 9(7):1157-1168,2014.

[9] Guangquan Xu, Jia Liu, Yanrong Lu *, Xianjiao Zeng, Yao Zhang,Xiaoming Li, ”A novel efficient MAKA protocol with desynchronizationfor anonymous roaming service in Global Mobility Networks”, JNCA107 8392, 2018.

[10] D. He and D. Wang, ”Robust biometrics-based authentication schemefor multiserver environment,” IEEE SYST J, vol. 9, no. 3, pp. 816823,Sep. 2015.

[11] Fueyo M, Herranz J, ”On the Efficiency of Revocation in RSA-BasedAnonymous Systems,” IEEE T INF FOREN SEC, 11(8):1771-1779,2016.

[12] Chen Wang, Jian Shen, Qi Liu, Yongjun Ren and Tong Li, ”A NovelSecurity Scheme based on Instant Encrypted Transmission for Internet-of-Things”, SECUR COMMUN NETW, DOI: 10.1155/2018/3680851,2018.

[13] V. Odelu, A. K. Das, and A. Goswami, ”A secure biometrics-basedmulti-server authentication protocol using smart cards,” IEEE T INFFOREN SEC, vol. 10, no. 9, pp. 1953-1966, Sep. 2015.

[14] Tsai K L, Huang Y L, Leu F Y, et al., ”TTP Based High-Efficient Multi-Key Exchange Protocol,” IEEE ACCESS, 4(99):6261-6271, 2016.

[15] Reddy A G, Yoon E J, Das A K, et al., ”Design of Mutually Authen-ticated Key Agreement Protocol Resistant to Impersonation Attacks forMulti-Server Environment,” IEEE ACCESS, 5(99):3622–3639, 2017.

[16] He D, Zeadally S, Kumar N, et al., ”Efficient and Anonymous MobileUser Authentication Protocol Using Self-Certified Public Key Cryp-tography for Multi-Server Architectures,” IEEE T INF FOREN SEC,11(9):2052–2064, 2016.

[17] Xie Q, Wong D S, Wang G, et al., ”Provably Secure Dynamic ID-Based Anonymous Two-Factor Authenticated Key Exchange ProtocolWith Extended Security Model,” IEEE T INF FOREN SEC, 12(6):1382–1392, 2017.

[18] Wazid M, Das A K, Kumar N, et al., ”Secure Three-factor User Authen-tication Scheme for Renewable Energy Based Smart Grid Environment,”IEEE T IND INFORM, PP(99):1-1, 2017.

[19] Li F, Khan M K, Alghathbar K, et al., ”Identity-based online/offline sign-cryption for low power devices,” J NETW COMPUT APPL, 35(1):340–333, 2012.

[20] Zhang L, Wu Q, Domingo-Ferrer J, et al., ”Round-Efficient and Sender-Unrestricted Dynamic Group Key Agreement Protocol for Secure GroupCommunications,” IEEE T INF FOREN SEC, 10(11):2352-2364, 2015.

[21] Xiong H, Qin Z, ”Revocable and Scalable Certificateless RemoteAuthentication Protocol With Anonymity for Wireless Body Area Net-works,” IEEE T INF FOREN SEC, 10(7):1442-1455, 2015.

[22] Qiu T, Liu X, Han M, et al., ”SRTS : A Self-Recoverable TimeSynchronization for sensor networks of healthcare IoT,” COMPUTNETW, 481-492, 2017.

[23] Liu Y, Shen Y, Guo D, et al., ”Network Localization and SynchronizationUsing Full-duplex Radios,” IEEE T SIGNAL PROCES, PP(99):714-728,2017.

[24] Xiong Y, Wu N, Shen Y, et al., ”Cooperative Network Synchronization:Asymptotic Analysis,” IEEE T SIGNAL PROCES, PP(99):757-772,2017.

[25] Y.-P. Liao and C.-M. Hsiao, ”A novel multi-server remote user au-thentication scheme using self-certified public keys for mobile clients,”FUTURE GENER COMP SY, vol. 29, no. 3, pp. 886-900, 2013.

[26] W.-B. Hsieh and J.-S. Leu, ”An anonymous mobile user authenticationprotocol using self-certified public keys based on multi-server architec-tures,” J SUPERCOMPUT, vol. 70, no. 1, pp. 133-134, 2014.

[27] Shakiba M, Singh M J, Sundararajan E, et al., ”Extending BirthdayParadox Theory to Estimate the Number of Tags in RFID Systems,”PLOS ONE, 9(4):e95425, 2014.

[28] Huh J H, Oh S, Kim H, et al., ”Surpass:System-initiated User-replaceable Passwords,” ACM CCS, 170-181, 2015.

[29] Liu L, Vel O D, Han Q L, et al., ”Detecting and Preventing CyberInsider Threats: A Survey”, IEEE COMMUN SURV TUT, vol. 20, no.2, pp. 1397-1417, 2018.

[30] Jiang J, Wen S, Yu S, Xiang Y, et al., ”Identifying Propagation Sources inNetworks: State-of-the-Art and Comparative Studies”, IEEE COMMUNSURV TUT, vol. 19, no. 1, pp. 465-481, 2017.

[31] Khan W Z, Xiang Y, Aalsalem M Y, et al., ”Mobile Phone SensingSystems: A Survey”, IEEE COMMUN SURV TUT, vol. 15, no. 1, pp.402-427, 2013.




Xianjiao Zeng is a master’s student at theSchool of Computer Science and Technology,Tianjin University, China. She was born in Jilin,Jilin Province, China, in 1993. She received abachelor’s degree from the Yanshan Universityin July 2015. Her current research interests in-clude anonymous user authentication protocolfor IoT. She is a Student Member of the IEEE.

Guangquan Xu is a Ph.D. and associate profes-sor at the Tianjin Key Laboratory of AdvancedNetworking (TANK), School of Computer Sci-ence and Technology, Tianjin University, China.He received his Ph.D. degree from Tianjin Uni-versity in March 2008. He is a member of theCCF and ACM. His research interests includecyber security and trust management. He is aMember of the IEEE.

Xi Zheng is in Software Engineering from UTAustin, Master in Computer and Information Sci-ence from UNSW, Bachelor in Computer In-formation System from FuDan; Chief SolutionArchitect for Menulog Australia(2005-2012, thecompany sold for US 8.55 billion US Dollars),now assistant professor/lecturer in Software En-gineering at Macquarie University. Specialised inService Computing, IoT Security and ReliabilityAnalysis. Published more than 40 high qualitypublications in top journals and conferencesPer-

COM, ICSE, WWW Journal, IEEE IoT journal, IEEE Transactions onVehicular Technology, IEEE Systems Journal, ACM Transactions onEmbedded Computing Systems). Awarded the best paper in Australiandistributed computing and doctoral conference in 2017. Awarded DeakinResearch outstanding award in 2016. Reviewer for top journals andconferencesIEEE Systems Journal, ACM Transactions on Design Au-tomation of Electronic Systems, Pervasive and Mobile Computing, IEEETransaction on Cloud Computing, PerCOM). He is a Member of theIEEE.

Yang Xiang received his PhD in Computer Sci-ence from Deakin University, Australia. He iscurrently a full professor and the Dean of Dig-ital Research & Innovation Capability Platform,Swinburne University of Technology, Australia.His research interests include cyber security,which covers network and system security, dataanalytics, distributed systems, and networking.In particular, he is currently leading his team de-veloping active defense systems against large-scale distributed network attacks. He is the Chief

Investigator of several projects in network and system security, fundedby the Australian Research Council (ARC). He has published more than200 research papers in many international journals and conferences.He served as the Associate Editor of IEEE Transactions on Computers,IEEE Transactions on Parallel and Distributed Systems, Security andCommunication Networks (Wiley), and the Editor of Journal of Networkand Computer Applications. He is the Coordinator, Asia for IEEE Com-puter Society Technical Committee on Distributed Processing (TCDP).He is a Senior Member of the IEEE.

Wanlei Zhou received the B.Eng. and M.Eng.degrees from the Harbin Institute of Technol-ogy, Harbin, China, in 1982 and 1984, respec-tively, the Ph.D. degree from The Australian Na-tional University, Canberra, Australia, in 1991, allin computer science and engineering, and theD.Sc. degree from Deakin University in 2002.He is currently the Alfred Deakin Professor andthe Chair of Information Technology, School ofInformation Technology. He has authored over300 papers in refereed international journals and

refereed international conferences proceedings. He has also chairedmany international conferences. He is a Senior Member of the IEEE.

E-AUA: An Efficient Anonymous User Authentication Protocol for Mobile IoTitseg.org › wp-content...

Documents

Transcript of E-AUA: An Efficient Anonymous User Authentication Protocol for Mobile IoTitseg.org › wp-content...