This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1

Provably Secure Dynamic ID-based Anonymous

Two-factor Authenticated Key Exchange Protocol
with Extended Security Model
Qi Xie*, Duncan S. Wong, Guilin Wang, Xiao Tan, Kefei Chen, Liming Fang

Abstract—Authenticated Key Exchange (AKE) protocol allows a user and a server to authenticate each other and generate a session
key for the subsequent communications. With the rapid development of low-power and highly efficient networks like pervasive and
mobile computing network in recent years, many efficient AKE protocols have been proposed to achieve user privacy and
authentication in the communications. Besides secure session key establishment, those AKE protocols offer some other useful
functionalities like two-factor user authentication and mutual authentication. However, most of them have one or more weaknesses,
such as vulnerability against lost-smart-card attack, offline dictionary attack, de-synchronization attack, or lack of forward secrecy, user
anonymity or untraceability. Furthermore, an AKE scheme under the public key infrastructure may not be suitable for lightweight
computational devices, and the security model of AKE does not capture user anonymity and resist lost-smart-card attack. In this paper,
we propose a novel dynamic ID-based Anonymous Two-Factor AKE protocol which addresses all the above issues. Our protocol also
supports smart card revocation and password update without centralized storage. Further, we extend the security model of AKE to
support user anonymity and resist lost-smart-card attack, and the proposed scheme is provably secure in extended security model.The
low computational and bandwidth cost indicates that our protocol can be deployed for pervasive computing applications and mobile
communications in practice.

Index Terms—Security, password authentication, anonymity, smart card, dynamic ID.

1 I NTRODUCTION
With the rapid development of low-power and highly
efficient networks, mobile users can pay bills, buy goods
online, and carry out electronic transactions by subscribing
to various remote services. Though mobile computing de-
vices are highly portable, they are usually unprotected and
easy to be stolen or get lost. Unless precautions are taken,
an unauthorized person may gain access to the information
stored on them. For instance, illegal access may be acquired
by intruders if the data is "sniffed out of the air" in wireless
communications or some malware is installed. The lack of
authentication and privacy may cause even more severe
results like crippled devices, personal data loss, disclosure
of non-public data, or charge of abused usage against the
device owner.
Mobile computing devices are of great security concern
not only because of the data stored on them, but also for
that they may provide access to other services that store or
display non-public data. For almost all these transactions,
mutual authentication and user privacy are required in the
key exchange before remote servers start providing services
to users. In particular, authentication and privacy play an
• Qi Xie , Xiao Tan and Kefei Chen are with the Key Laboratory of Cryptog-
raphy and Network Security, Hangzhou Normal University, Hangzhou,
China.
E-mail: qixie68@126.com
• Duncan S. Wong is with Hong Kong Applied Science and Technology
Research Institute,Hong Kong.
• Guilin Wang is with Shield Lab, Central Research Institute, Huawei
International Pte Ltd, Singapore.
• Liming Fang is with the College of Computer Science and Technology,
Nanjing University of Aeronautics and Astronautics, Nanjing, China.
important role in applications for industrial networks [1],
wireless sensor networks [2], [3], distributed networks [4],
[5], [6], as well as RFID systems [7], [8], [9]. Due to the
advantages on portability and usability, most proposed
authenticated key exchange (AKE) protocols support two
factor authentication using passwords and smart cards [10],
[11], [12], [13], [14], especially with the evolution of contact-
less smart card towards the NFC (near-field communication)
technology recently. There are two main attacks that a secure
two-factor AKE protocol has to defend against: Lost-Smart-
Card Attack and Offline Password Dictionary Attack [15],
[16], [17], [18], [19]. In lost-smart-card attack, an adversary
is considered to have obtained all the data in a stolen smart
card by logical or physical means, even if the smart cards
are designed for a certain level of tamper resistance [20].
Kocher et al. [21] and Messerges et al. [22] pointed out that
through physical monitoring on the power consumption of
smart cards, the confidential information stored in smart
cards could be extracted. In other words, once a card is lost,
all secrets in it may be compromised. In offline dictionary
attack, the adversary launches password guessing attack
against some short, non-uniformly distributed passwords.
Note that online dictionary attack can usually be prevented
in practice by resetting the user’s account or revoking
the smart card when the number of consecutive failed
authentication attempts reached a threshold, while offline
dictionary attack cannot be detected by above methods.
Besides resistance against lost-smart-card attack and offline
dictionary attack, user privacy is another desirable feature in
online transactions and industrial engineering applications,
and many recent two-factor AKE protocols support at least

1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
a certain degree of user privacy [23], [24], [25]. Informally,
user privacy refers to the anonymity and untraceability of a
user’s identity as well as the corresponding smart card in the
protocol executions. Anonymity aims to protect the location
and activities of the user, while untraceability prevents
an adversary from linking two sessions to the same user.
Though traceability may not allow an adversary to identify
a user directly, it may help the adversary to profile a user, for
example, reveal the email server and the bank account of the
user, or the online shopping mall that the user used to visit
[26], [27]. Hence the main research problem on two-factor
AKE nowadays is to construct a scheme that supports user
anonymity and untraceability and preserves security against
both lost-smart-card attack and offline dictionary attack.
In 2005, Fan et al. [27] proposed a two-factor authen-
tication protocol that fails to achieve user anonymity and
session key establishment. As it is based on Rabin’s public
key cryptosystem, Fan et al.’s scheme is less efficient when
compared with recent results based on elliptic curve cryp-
tosystems. To protect user privacy, Das et al. [28] proposed
a dynamic ID-based password authentication scheme. In
recent years, it becomes a hot research topic to design
anonymous authentication scheme using dynamic ID [18],
[19], [23], [24], [25], [29], [30], [31], [32], [33], [34], [37], [38]. In
[23], Juang et al. proposed an Anonymous Two-factor AKE
protocol which was later shown by Sun et al. [24] and Li et
al. [25] that the protocol neither achieves untractability nor
supports change of passwords. [24], [25] also proposed im-
proved schemes for achieving user anonymity and untrace-
ability as well as the security against lost-smart-card attack
and offline dictionary attack. In 2012, Li-Zhang [32] showed
that Sun et al. [24] scheme is insecure and proposed an
improved scheme. Ma et al. [15], Madhusudhan-Mittal [29]
and Wang et al. [35] showed that many recently proposed
dynamic ID-based Anonymous Two-factor AKE protocols
have one or more weaknesses, such as vulnerability against
lost-smart-card attack, offline dictionary attack, or lack of
forward secrecy, anonymity and untraceability. It is worth
noting that, in order to provide user anonymity, almost
all dynamic ID-based two-factor authentication protocols
need an additional synchronization mechanism to maintain
the consistency of the one-time identity between the user
and the server. However, this consistency is broken easily,
and the user may no longer be able to login the server
[34]. Very recently, Chaudhry et al. proposed two schemes
[37], [38] that are claimed to achieve anonymity and many
other desirable properties, but both of them don’t support
smart card revocation, and the second scheme [38] does not
provide password change mechanism. Besides, we found
that the first scheme [37] failed to achieve forward secrecy
even though it claimed so, because its previous session keys
can be recovered if the adversary gets access to the user’s
password, smart card and protocol transcripts of previous
sessions. There are also some other schemes based on bio-
metric techniques or adjusted for the setting of multiple
servers [39], [40], which is of independent interest but out
of the scope of this paper. Furthermore, the schemes under
public key infrastructure may not be suitable for lightweight
computation devices. Therefore, it is still an open problem to
design a secure and efficient Anonymous Two-Factor AKE
scheme without using public keys.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
2
In this paper, we first extend the security model of
AKE to support user anonymity and resist lost-smart-card
attack, and then propose a dynamic ID-based Anonymous
Two-Factor AKE protocol which satisfies all the following
properties: (1) Security against various attacks including de-
synchronization attack, lost-smart-card attack and offline
dictionary attack; (2) User anonymity and untraceability;
(3) Perfect forward secrecy; (4) No long-term public key;
(5) No centralized password storage, and support user
password change and smart card revocation; (6) Provable
security in extended security model. The proposed scheme
is very lightweight in computations and requires only a
few number of message flows of short messages. Hence
the protocol is suitable for the deployment on pervasive
computing applications and mobile communications.
As our scheme is based on elliptic curve cryptosystems,
we use the following notations in this paper:
• p: a large prime number.
• Ep : a p-order elliptic curve group defined over
GF (q) where q is a prime or in the binary space 2n .
• G: a generator of the group Ep .
• (Ek (), Dk ()): symmetric key encryption/decryption
under key k of a remote server S .
• x: a long-term secret key of S .
• SC : a smart card.
• P W : a user U ’s password.
• SK : a session key.
• h1 (), h2 (), h02 (): cryptographic hash functions, where
h1 () maps to the p-order cyclic group of integers Zp ,
h2 () and h02 () map to 256-bit strings.
The rest of the paper is organized as follows. In Sections
2 and 3, the security model is introduced and a secure
anonymous two-factor AKE scheme is proposed. Then we
present the security proof in Section 4. The comparisons of
functionalities and performance of our scheme and some
existing schemes are given in Section 5. The paper is con-
cluded in Section 6.
2 S ECURITY MODEL
In this section, we extended the security model of AKE [32],
[36] to support user anonymity for two-factor authenticated
key exchange (TF-AKE). Note that the original AKE model
already implies the security against offline-dictionary attack
and perfect forward secrecy. Our enhanced model extends
the oracle Corrupt() to capture two-factor security that can
resist lost-smart-card attack, and additionally defines the
oracle T estID() for capturing the notion of user anonymity.
Note that, as a two-factor authentication scheme, an
adversary can get smart card or password, but not both.
The security of this type of protocol can not rely on the
user’s identity unknown to the adversary, since an insider
attacker can know the user’s identity easily. This security
criterion has been widely adopted for designing two-factor
authentication scheme.
2.1 Participants
In an anonymous TF-AKE protocol, there are two kinds of
participants: user U and server S , both may have multiple
instances and are allowed to run the protocol concurrently.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
The user U and the server S share a password P W chosen
from a small dictionary D and a private key x. When U
registers to S , S will issue a smart card to U .
U i (resp. S i ) denotes the i-th instance of U (resp. S ).
The identifiers of U i ’s (resp. S i ’s) partner and session are
denoted by pidiU and sidiU (resp. pidiS and sidiS ). acciU is a
boolean variable that denotes whether U i is accepted or not.
We say U i and S j are partners if all the conditions hold: (1)
pidiU = S j and pidjS = U i ; (2) sidiU = sidjS 6= null; (3)
acciU = accjS = 1.
2.2 Queries
An adversary can query the following oracles:
• Execute(U i , S j ): This oracle models passive attacks
that allow the adversary to get access to the honest
executions of the protocol between U i and S j . The
oracle is essential for properly dealing with offline-
dictionary attack which depends on how many inter-
actions the adversary carries out against the protocol.
• Send(U i /S j , m): This oracle models active attacks
that the adversary sends a message to U i /S j and
gets the response from U i /S j . The adversary can use
Send(U i , start) to initialize a protocol session.
• Reveal(U i ): This oracle captures the notion of
known key attack. It allows the adversary to learn
the session key held by U i .
• Corrupt(U, a): This oracle captures the notion of
two-factor security. It allows the adversary to obtain
either the secret value of U or the messages stored in
the smart card.
a) If a = 1, it outputs U ’s long-term password
P W . This type of queries models perfect for-
ward secrecy.
b) If a = 2, it outputs messages stored in U ’s
smart card. This type of queries models the
security against lost-smart-card attack.
• T estID(U ): This oracle query tests user anonymity
regarding U ’s real identity, and could be asked by the
adversary at most once. If both Corrupt(U, 1) and
Corrupt(U, 2) are already queried by the adversary,
then return the invalid symbol ⊥. Otherwise, the
oracle tosses a random bit b, then returns U ’s identity
if b = 1, or a random element in the identity space if
b = 0.
• T estAKE(U i ): This oracle query tests the AKE se-
curity of U i ’s session key, and could be asked by
the adversary at most once. If no session key is
defined or the instance U i is not fresh (the definition
of freshness is given below), then return the invalid
symbol ⊥. Otherwise, the oracle tosses a random bit
b, then returns U i ’s session key if b = 1, or a random
element in the key space if b = 0.
2.3 Freshness
The freshness of a session key guarantees that the adversary
cannot get the key trivially. We say an instance U i is fresh if:
(1) acciU = 1;
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
3
(2) no Reveal(U i ) and no Reveal(pidiU )
are queried by
the adversary.
(3) either Corrupt(U, 1) or Corrupt(U, 2) are not
queried by the adversary.
2.4 Semantic Security
The goal of the adversary is to guess the bit b involved
in either TestID-query or TestAKE-query. Let Succ be the
event that the adversary A correctly guessed the bit b. The
advantage of the adversary against anonymous TF-AKE is
defined as AdvP A,D (A) = 2 ∗ Pr[Succ] − 1.
3 T HE PROPOSED SCHEME
3.1 Our Ideas
In this section, we propose a new TF-AKE scheme to
overcome the weaknesses of the previous schemes. Our
ideas can be summarized as follows: (a) encrypt user ID
for user anonymity as in Sun et al.’s scheme, and adopt a
similar mechanism to Li et al.’s scheme for ensuring user
untraceability, meanwhile introduce an additional mecha-
nism for de-synchronization; (b) encrypt all data stored in
smart card SC under either the server S ’s long-term secret
number or user’s password, and ensure that an adversary
is unable to get the server’s long-term secret number or
user password through lost-smart-card attack; (c) introduce
nonces in the messages flows for preventing the leakage
of any information which facilitates an adversary to launch
offline dictionary attack; and (d) use conventional method
to defend against online dictionary attacks, namely, when
a preset maximum number of consecutive failed attempts
is reached, further run of the Login and Authentication
process between SC and S will be prohibited.
3.2 Scheme Specification
Let CT R_SC and CT R_Svr be two counters maintained
by the smart card SC and the server S respectively, and
their values are initially set to 0. CT R_Svr corresponds
to a user identified by the pair (ID, CI), it is used for
tracking the number of consecutive failed attempts of Login
and Authentication made with respect to ID and CI . The
Login and Authentication process will be terminated when
CT R_SC or CT R_Svr reaches a reset threshold value n.
The scheme consists of four phases: user registration,
login and authentication, password change and smart card
revocation.
1) User registration
Step 1) A user U randomly picks a sub-identity IDu and
sends it to a server S via a secure channel.
Step 2) S randomly picks another sub-identity IDs , a
card identifier CI , a nonce N0 for U , and computes ID =
IDu ||IDs ||CI , DID = Ex (ID||N0 ), V0 = h1 (ID||x),
where x is S ’s long-term secret number, and V0 is a big
number in Zp . S writes (DID, V0 ) into SC , and sends SC to
U via a secure channel. S also stores ID, CI and CT R_Svr
in a registration table, where the initial value of CT R_Svr
is set to 0. Note that we use n to denote the threshold value
which is used for detecting online dictionary attack. Also
note that S can revoke a lost card or issue a new card to U
without changing the user’s sub-identity IDu .
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
Card{DID, V, CT R_SC}
If CT R_SC < n
e = rG,
V0 = V ⊕ h1 (P W ),
(V1 ,DID,T1 )
V1 = e + h1 (V0 ||IDu ||T1 )G −−−−−−−−→
Otherwise, abort the protocol.
(V2 ,V3 ,d,T2 )
←−−−−−−−−
If T2 is fresh,
c = rd,
N ID = V2 ⊕ h2 (c),
if V3 = h2 (N ID||c||T2 ),
V4 = h2 (V1 ||c),
SK = h2 (c||d||e), update DID;
else set CT R_SC = CT R_SC + 1.
V
4
−→
Fig. 1. Login and authentication phase
Step 3) U chooses a password P W and replaces V0 in SC
by V = V0 ⊕ h1 (P W ). Note that the output of h1 () is a big
number in Zp , it can be treated as a string of length |Zp | for
bit-wise operations. Finally, the initial value 0 of CT R_SC
is written into SC . Now SC contains (DID, V, CT R_SC)
and the threshold value n.
2) Login and authentication
Fig. 1 illustrates this phase. Below are the details of the
protocol carried out between user U and server S .
Step 1) U enters password P W and sub-identity IDu . If
CT R_SC < n, SC randomly selects r ∈R Zp and computes
e = rG, V0 = V ⊕ h1 (P W ) = h1 (ID||x), and V1 = e +
h1 (V0 ||IDu ||T1 )G, where T1 is the current timestamp. SC
sends (V1 , DID, T1 ) to S . Otherwise, U aborts the protocol.
Step 2) Upon receiving (V1 , DID, T1 ), S first checks the
freshness of T1 . The freshness of a timestamp refers to that
the message reaches the receiver within a predefined thresh-
old of time period, which is a widely applied technique for
resisting replay attack. If the checking holds, S decrypts
DID to get (ID = IDu ||IDs ||CI, N0 ). If IDu , IDs and CI
are invalid and CT R_Svr > n, S terminates the protocol.
Otherwise, S computes e = V1 − h1 (V0 ||IDu ||T1 )G, and
randomly picks two nonces u and N1 , computes c = ue =
urG, and d = uG. S further sets N ID = Ex (ID||N1 ),
V2 = h2 (c) ⊕ N ID and V3 = h2 (N ID||c||T2 ), and sends
(V2 , V3 , d, T2 ) to SC , where T2 is the current timestamp.
Otherwise, S aborts the protocol.
If S receives another request message (V1 0 , DID, T1 0 )
with the same DID at T1 0 without receiving V4 related with
(V1 , DID, T1 ), then S sets CT R_Svr = CT R_Svr + 1 and
aborts.
Step 3) Upon receiving (V2 , V3 , d, T2 ), SC checks the
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
4
Server{CT R_Svr, CI, ID}
If T1 is fresh,
decrypt DID, get ID
if IDu , IDs , CI are valid,
if CT R_Svr < n,
e = V1 − h1 (V0 ||IDu ||T1 )G,
c = ue, d = uG,
N ID = Ex (ID||N1 ),
V2 = h2 (c) ⊕ N ID,
V3 = h2 (N ID||c||T2 ).
Otherwise, abort the protocol.
If V4 = h2 (V1 ||c),
SK = h2 (c||d||e);
else set CT R_Svr = CT R_Svr + 1.
freshness of T2 . If so, SC computes c = rd = ruG
and N ID = h2 (c) ⊕ V2 , then checks if V3 equals to
h2 (N ID||c||T2 ) for the authentication of S . If so, SC com-
putes V4 = h2 (V1 ||c) and replaces DID with N ID, com-
putes the session key SK = h2 (c||d||e) and sends V4 to S .
SC also resets CT R_SC to 0. Otherwise, SC aborts and
sets CT R_SC = CT R_SC + 1.
Step 4) S computes h2 (V1 ||c). If it equals to V4 , S sets
CT R_Svr to 0 and computes SK = h2 (c||d||e) as the
session key. Otherwise, CT R_Svr = CT R_Svr + 1 and
aborts.
3) Password change
To change the password, U enters the old password P W
and pass through the authentication process of the server,
then he enters a new password P W ∗ . SC computes V ∗ =
V ⊕ h1 (P W ) ⊕ h1 (P W ∗ ) = h1 (ID||x) ⊕ h1 (P W ∗ ), then he
replaces V with V ∗ in smart card.
The user can change his password by entering his old
password and new password, and then updating the related
parameter. However, it may have possible problems. If the
password authenticator is stored in the smart card, then an
adversary can launch offline password guessing attack once
he knows the information stored in smart card. Otherwise,
the user can not know whether his entered password is
correct or not, if not, he may not pass through the au-
thentication process of the server in the next session run.
Therefore, the change of password should be done after
passing the authentication process of the server, and as a
common practice, we require the user to enter the new
password twice to ensure its correctness.
4) Smart Card Revocation
If U lost his smart card, he can ask S to issue a new
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 5

smart card after checking the validity of U ’s sub-identity also be able to break the underlying symmetric encryption
IDu . The process of issuing new smart card is the same as scheme Ek () with the same probability. In particular, if the
that in the registration phase, say S generates a new card adversary successfully guesses b0 = b, then U ’s real identity
identifier CI 0 , a nonce N0 , computes ID = IDu ||IDs ||CI 0 , ID = ID1 if b0 = 1, or ID = ID0 if b0 = 0. Hence,
SE
DID = Ex (ID||N0 ), V0 = h1 (ID||x), writes (DID, V0 ) ∆0 ≤ AdvE x
(t).
into SC , and sends SC to U via a secure channel. S also Exp2 : In this experiment, we simulate all oracles as
stores new ID, CI 0 and CT R_Svr in a registration table, in the above experiment except that we halt all ex-
where the initial value of CT R_Svr is set to 0. ecutions in which a collision occurs in the transcript
((V1 , DID, T1 ), (V2 , V3 , d, T2 ), (V4 )) or in the output of
4 S ECURITY PROOF the hash queries. According to the birthday paradox, we
2
(qsend +qexe )2 qh
4.1 Formal Security Proof have that ∆1 ≤ 2n + 2l+1 . In particular, the
transcript (V1 , DID, T1 ), (V2 , V3 , d, T2 ), (V4 ) can be gener-
Theorem 1. Let Ep and D be an elliptic curve group and a
ated by either querying the oracle Send or the oracle
uniformly distributed password dictionary, respectively. Let P A
Execute. Therefore, the size of the collision set is at most
be our proposed authentication scheme, and A be an adversary
SE qsend + qexe , and the number of possible collision pairs
against our scheme. Let AdvE be the advantage of any proba-
x is about (qsend + qexe )2 . The probability n1 is the upper
bilistic polynomial time (PPT) adversary against the symmetric
CDH bound of a single collision, because if one collision occurs
encryption scheme Ex () using key x, AdvE be the advantage
p (e.g. (V1 , DID, T1 ) = (V10 , DID0 , T10 )), then we must have
of any PPT adversary that solves an instance of CDH problem in
T1 = T10 , say the value of timestamps also forms a collision.
Ep , and t be the expected running time of the adversary. Then, we 2
qh
have: The analysis is similar for the collision probability 2l+1 of
2 hash queries.
AdvP A,D (A) ≤ 2q|D| send
+ 2qsend +(qsend
n
+qexe )
Exp3 : In this experiment, we stop the executions if the
2
qh SE
+ 2l + 2AdvEx (t) adversary could guess the authentication values V3 and
CDH V 4 luckily. Since experiments Exp3 and Exp2 are indis-
+ 2qh AdvE p
(t + (qsend + qexe + 1) · τG ) tinguishable unless the server (or the user) rejects a valid
qsend
where l, qsend , qexe , qh , |D| and τG denote the bit length authentication value, we could get that ∆2 ≤ n .
of h2 ’s outputs, the number of Send−queries, the number of Exp4 : In this experiment, we use the private oracle h0 2
Execute−queries, the number of Hash−queries, the cardinality instead of h2 to compute the session key so that the session
of the dictionary D, and the scale multiplication time in G key SK is independent from h2 and c. More precisely, in
respectively. the Execution queries, one gets SK = h2 (d||e). Exp4 and
Exp3 are indistinguishable unless the event AskH4 occurs,
Proof. We define a sequence of hybrid experiments starting
where AskH4 denotes the event that the adversary queries
with the real attack experiment Exp0 and ending up with
the hash oracle h2 on c||d||e in Exp4 . Similarly, we use
the experiment Exp5 . Let Succi be the event that the adver-
AskH5 to denote the event that the adversary makes this
sary guesses the bit b correctly involved in the T est-query
query in Exp5 as below. Moreover, the answer to the bit b
in the experiment Expi , where i = 0, 1, . . . , 5. Let ∆i denote
involved in the T est−query is random, and the choice of b
the distance between experiment Expi and Expi+1 . Then,
is independent of all the session executions. Therefore, we
we have
have ∆3 ≤ Pr[AskH4 ] and Pr[Succ4 ] = 12 .
Exp5 : In this experiment, we simulate the executions us-
AdvP A,D (A) = 2 Pr[Succn ] − 1 ing the random self-reducibility of the Diffie-Hellman prob-
+2(Pr[Succ0 ] − Pr[Succn ]) lem, given one CDH instance (A, B ), we choose α, β ∈ Zn∗
n−1
P randomly, and compute e = αA and d = βB . Since AskH4
≤ 2 Pr[Succn ] − 1 + 2 ∆i means that the adversary queries h2 on c||d||e, where c =
i=0
CDH(d, e), we could get that Pr[AskH4 ] = Pr[AskH5 ] and
which implies that if the difference in success probability CDH(d, e) = α · β · CDH(A, B), where CDH(d, e) (resp.
between any two consecutive experiments ∆i is negligible, CDH(A, B)) denotes a solution of the CDH instance (d, e)
then the adversary’s advantage in the original experiment (resp. (A, B )). If the adversary has made the Corrupt(U, 2)
Exp0 will be almost the same as that in the final experiment query, he must not have made the password-corrupt query
Exp5 . In other words, if we can show that Pr[Succ5 ] is a Corrupt(U, 1). Then, the adversary could only test one
negligible value, then so is Pr[Succ0 ], and AdvP A,D (A) too. password in every transcript. Therefore, we have:
Exp0 : This experiment corresponds to the real at-
tack, in the random oracle model. By definition, we have
qsend CDH
AdvP A,D (A) = 2 Pr[Succ0 ] − 1. Pr[AskH5 ] ≤ + qh AdvE (t + (qsend + qexe + 1) · τG )
Exp1 : In this experiment, we simulate two hash oracles |D| p

h1 and h2 in Fig.2. We also simulate an additional hash ora-

cle h0 2 in Fig.2, which will appear in Exp4 . The Execution, where the probability that the event AskH5 occurs is
Reveal, Send, Corrupt, T estID and T estAKE oracles are bounded by the number of queries related to off-line dic-
also simulated as in Figs 3 and 4. User anonymity is enforced tionary attacks and the adversary’s advantage of solving
because if the adversary can distinguish whether DID is the given CDH instance (A, B) on Ep . By combining all
the ciphertext of ID1 in the oracle T estID, then it will the intermediate results, we can easily derive the formula in

1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 6

V
• On a hash query h1 (m), for which there exists a record (m, R) appears V in h1 , return R.
Otherwise, choose an element R ∈ G, add the record (m, R) to the list h1 and return R. V
0
•
V query h2 (m) (resp. h2 (m)), for which there exists
On a hash a record (m, r) appears in h2
(resp. h0 ), return r. Otherwise, choose an element r ∈ Zn∗ , add the record (m, r) to the list
V 2 V

h2 (resp. h0 ) and return r .

2

Fig. 2. Simulation of random oracle h1 and h2

• On a query Send(U i , start), assuming U i is in the correct state, we performed as follows:

Choose a random element rU ∈ Zn∗ , and compute e = rU G, V1 = e + Q, where
Q = h1 (V0 ||IDu ||T1 )G. Then the query is answered with (V1 , DID, T1 ).

• On a query Send(S j , (V1 , DID, T1 )), assuming S j is in the correct state, we performed as
follows:
Choose a random element rS ∈ Zn∗ , and compute, e = V1 − Q, d = rS G, c = rS e,
N ID = Ex (ID||N1 ), V2 = h2 (c) ⊕ N ID and V3 = h2 (N ID||c||T2 ), where N1 is a nonce,
T2 is the current timestamp and Q = h1 (V0 ||IDu ||T1 )G. Finally, the query is answered with
(V2 , V3 , d, T2 ).

• On a query Send(U i , (V2 , V3 , d, T2 )), assuming U i is in the correct state, we performed as

follows:
Choose a random number r, compute c = rd, N ID = V2 ⊕ h2 (c), V4 = h2 (V1 ||c) and
checks whether V3 and h2 (N ID||c||T2 ) are equal. If not, the user instance terminates without
accepting. Otherwise, compute V4 = h2 (V2 ||c), and the session key SK = h2 (c||d||e). At last,
the query is answered with (V4 ).

• On a query Send(S j , (V4 )), assuming S j is in the correct state, we performed as follows:
Checks whether V4 and h2 (V1 ||c) are equal. If they are not equal, S stops the session.
Otherwise, computes the session key SK = h2 (c||d||e).

Fig. 3. Simulation of Send-query

• On a query Reveal(U i ), we performed as follows:

If the instance U i has accepted, the query is answered with the session key.

• On a query Execute(U i , S j ), we performed as follows:

(V1 , DID, T1 ) ← Send(U i , start),
(V2 , V3 , d, T2 ) ← Send(S j , (U, QU )) and
(V4 ) ← Send(U i , (QB , HB ))
The query is answered with the transcript ((V1 , DID, T1 ), (V2 , V3 , d, T2 ), (V4 )).

• On a query Corrupt(U, a), we performed as follows:

a) If a = 1, the query is answered with U ’s password P W .
b) If a = 2, the query is answered with (DID, V, CT R_SC).

• On a query T estID(U ), we performed as follows:

Let ID0 or ID1 be two arbitrary identities of the same length, and C be the challenge
ciphertext of either ID0 ||N0 or ID1 ||N0 , using the underlying symmetric encryption Ek ().
Set DID = C for the user U and return ID1 .

• On a query T estAKE(U i ), we performed as follows:

Get the session key sk from the Reveal(U i ) and flip a coin b. If b = 1, we return the session
key, otherwise we return a random value with the same length.

Fig. 4. Simulation of Execute, Reveal, Corrupt, TestID and TestAKE query

1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 7

Theorem 1 as below: not the same as c = u(V10 − h1 (h1 (ID||x)||IDu ||T1 )G)
computed by the server. The adversary’s response V4 cannot
AdvP A,D (A) ≤ 2 Pr[Succ4 ] − 1 + 2(∆0 + ∆1 + ∆2 + ∆3 ) pass through the authentication of the server, and it has
2
q2
≤ 2AdvE SE
x
(t) + (qsend +q
n
exe )
+ 2hl + 2qsend
n + 2 Pr[AskH4 ] negligible probability of establishing the same session key
2
q 2 with the server. For an adversary aiming to impersonate the
≤ 2qsend +(qsend
n
+qexe )
+ 2hl + 2AdvE SE
x
(t) + 2 Pr[AskH5 ] server, it does not have the server’s private key x to decrypt
And this completes the proof. DID and compute N ID = Ex (ID||N1 ). Therefore, it is im-
possible for the adversary to generate V3 = h2 (N ID||c||T2 )
to pass the verification by the user.
4.2 Other Security Analysis
(5) Replay attack
In this subsection, we show that our scheme achieves secu- In our scheme, we use timestamp {T1 , T2 } and nonces
rity and anonymity as well as several desirable properties {r, u} to resist the replay attack. If an adversary replays a
of TF-AKE protocol, which based on the assumptions that a message {V , DID, T } to the server, it will fail to pass the
1 1
malicious adversary can eavesdrop, modify, insert, or delete authentication due to the invalidity of the timestamp T .
1
any messages transmitted via public channel. Even if the adverary replay the message within the valid
(1) Offline dictionary attack with compromised smart period of T , it has no capability of computing the session
1
cards key SK = h2 (c||d||e) because the computation of c requires
Suppose an adversary has compromised a smart card for the knowledge of the nonce r or u.
and obtained the information DID = Ex (ID||N0 ) and
(6) Known-key security
V = h1 (ID||x) ⊕ h1 (P W ) stored in it, and also assume
that the adversary has obtained all transmitted messages In our protocol, the session key SK = h2 (c||d||e) de-
in the protocol run. By launching offline dictionary at- pends on the nonces {r, u}, and the generation of {r, u} is
tack, the goal of the adversary is to guess password P W 0 independent in all sessions. Besides, the nonces are picked
and verify the validity, so the adversary has to compute randomly and not transmitted in the message flows, and
0 0 0 0
V0 = V ⊕ h1 (P W ), e = V1 − h1 (V0 ||IDu ||T1 )G. If the cannot be recovered from protocol transcript. Therefore,
adversary can verify the validity of the guessed password the knowledge of one session key gives no advantage of
P W 0 , it requires for computing c from e0 and d, and to computing other session keys. Thus, our protocol could
compute N ID = V2 ⊕ h2 (c), then he verifies whether provide known-key security.
V3 = h2 (N ID||c||T2 ) or not. However, it is impossible due (7) Perfect forward secrecy
to the intractability of computing Diffie-Hellman problem. Since the session key of our protocol is SK = h2 (c||d||e),
(2) De-synchronization attack which contains an Diffie-Hellman instance depending on
In our protocol, it need not an additional synchroniza- the nonces {r, u}, any adversary has negligible probabil-
tion mechanism to maintain the consistency of the one-time ity of computing c = ruG from rG and uG due to the
identity DID or N ID between the user and the server, be- intractability of Diffie-Hellman problem, even if he knows
cause one-time identity is stored in smart card only but the secret key x of the server and the user’s password P W .
server not. Even if the authentication process is terminated, Thus, our protocol could provide perfect forward secrecy.
the user is still able to login the server later. Our scheme (8) Privileged-insider attack
solves the de-synchronization attack problem of anonymous In our protocol, the user only sends his identity to
TF-AKE protocol. the server via secure channel in registration phase, and
(3) Anonymity and unlinkability the server does not know the user’s password.Therefore,
Our protocol provides the user anonymity, as any ad- the proposed protocol can withstand the privileged-insider
versary cannot find out the identity IDu or ID from the attack.
transmitted messages of the scheme. Note that, IDu and ID
(9) Denning-Sacco attack
are in V1 and N ID, which are well protected, the adversary
cannot retrieve the identity information from V1 and N ID Even if an adversary can know the session key SK =
without knowing P W , x and Diffie-Hellman value c. h 2 (c||d||e) , he still can not compute the user’s password and
On the other hand, all the transmitted messages are fresh get the server’s secret key x, and can not launch forgery
and different in each session run, which are randomized attack by using SK . That is, our protocol can resist Denning-
by nonces {r, u, N1 }. Therefore, an adversary without the Sacco attack.
secret keys cannot link any two session runs with the same (10) Lost-smart-card attack
user, thus ensuring anonymity and unlinkability. According to the above analysis, an adversary can not
(4) Forgery and impersonation attack launch offline dictionary attacks, forgery attacks and imper-
Our protocol can resist Forgery and impersonation at- sonation attacks even if he gets the smart card and obtains
tack even if the adversary has compromised a smart card all information stored in it. On the other hand, if an adver-
and obtained the information DID = Ex (ID||N0 ) and sary gets the revocated smart card, he can not pass through
V = h1 (ID||x) ⊕ h1 (P W ) stored in it. For an adversary the authentication process by using the information stored
aiming to impersonate the user, it chooses r0 , and computes in the revocated smart card,the reason is that the identity
e0 = r0 G, V00 = V ⊕ h1 (P W 0 ), V10 = e0 + h1 (V00 ||IDu ||T1 )G of the smart card is updated in smart card revocation phase,
and sends {V10 , DID, T1 } to the server. As the adversary and the identity CI of the revocated smart card can not pass
does not know the user’s password, so the Diffie-Hellman the verification process. Therefore, our protocol can resist
instance c0 = r0 d computed by the adversary are probably lost-smart-card attack.

1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
5 F UNCTIONALITY AND PERFORMANCE COMPAR -
ISONS
5.1 Functionality Comparison
In comparison of functionalities, we focus on the security
against lost-smart-card attack and offline dictionary attack,
anonymity and untraceability, mutual authentication and
key exchange, forward secrecy, support of password change,
and dependence on the public key infrastructure. Table 1
shows the comparisons between our scheme and some other
related schemes: Wen-Li [19], Li et al. [25], Li-Zhang [32],
Odelu et al. [33], Wang et al. [34], and Chaudhry et al.’s [37],
[38] schemes.The comparison result consolidates that our
scheme achieves all these properties simultaneously.
5.2 Performance Comparison
We evaluate the computational and communicational com-
plexity of our scheme and compare it with the related
schemes [19], [25], [32], [33], [34], [37], [38].
In the Login and Authentication phase of our scheme, it
requires three elliptic curve scalar multiplications to com-
pute (e, c), where e can be pre-computed; and six hash
operations for getting (V0 , V1 , N ID, V4 , SK) and checking
V3 in the smart card. It requires three elliptic curve scalar
multiplications to compute (d, c), where d can be pre-
computed; two block encryptions for (DID, N ID) and
five hash operations for getting (e, V2 , V3 , SK) and veri-
fying V4 in the server. In Wen-Li’s scheme [19], it needs
nine and seven hash operations in smart card and the
server, respectively. In Li et al.’s scheme [25], it requires
two elliptic curve scalar multiplications to compute (e, c)
which can be pre-computed; two block encryptions for V
and eight hash operations for getting (bN ID , u, Mu , SK) and
1
verifying Ms in the smart card. It requires one elliptic
curve scalar multiplication to compute c, fourteen block
encryptions for (bN N1
ID , V, bID ) and eight hash operations for
0
getting (Ms , N b1 , V1 , SK) and verifying Mu in the server.
In Li-Zhang’s scheme [32], it requires two elliptic curve
scalar multiplications to compute (Gc , Kauth ), where Gc
can be pre-computed; and seven hash operations for getting
(Kauth , RM , V 0 , AuthU , Mu , SK) and checking AuthS in
the smart card. It requires one elliptic curve scalar multi-
plication to compute Kauth , and seven hash operations for
getting (Kauth , RM , V 0 , AuthU 0 , AuthS , SK) and verifying
Mu in the server. In Odelu et al.’s scheme [33], it requires
three modular exponentiations to compute (K1 , Vi , ski ),
and six hash operations for getting (K1 , T IDi , Mi ) and
checking Ms in the smart card. It requires three modular
exponentiations to compute (K2 , sks , Vs ), and five hash
operations for getting (IDi ||n1 , Ci , sks , Ms ) and verifying
Mi in the server. In Wang et al.’s scheme [34], it requires two
modular exponentiations to compute (yA , cA ), one block
encryption for eA and eight hash operations for getting
(fA , DIDA , VA , sk, MA ) and checking Ms in the smart card.
It requires one modular exponentiation to compute (cA ),
one block decryption for getting fA and five hash operations
for getting (IDA , sk, Ms ) and verifying (fA , MA ) in the
server. In Chaudhry et al.’s first scheme [37], it requires nine
hash operations for getting (Ḡi , Qi , Si ) and checking a in
the smart card. It requires two block decryption for getting
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
8
IDi kTs0 and encrypting IDi kTs1 , and six hash operations
for getting Zi in the server. In Chaudhry et al.’s second
scheme [38], it requires three elliptic curve scalar multi-
plication to compute (Qua , Mua , T IDua ), and eight hash
0
operations for getting (BIDua , EIDua , Hua ) and checking
Hsb in the smart card. It requires three elliptic curve scalar
0 0
multiplication to compute (Qsb , Mua , T IDua ), and six hash
0
operations for getting Hsb and checking Hua in the server.
Table 2 summarizes the computational cost of the
schemes without pre-computation in the Login and Authen-
tication phase. In the table, H represents hash operation,
E represents block encryption/decryption, A represents
modular exponentiation and M represents the elliptic curve
scalar multiplication. We simulated the above operations
using the latest Miracl library in the following environment:
Windows 7 sp1 64-bit PC, Intel Core i5-3210M CPU of 2.5
GHz, 8GB RAM. The simulation result shows that one hash
operation requires for 0.068 ms (millisecond), one block
encryption/decryption requires for 0.56 ms, one modular
exponentiation requires for 3.043 ms, and one scalar mul-
tiplication on elliptic curve requires for 2.501 ms. Accord-
ingly, we evaluate the estimated running time of the related
schemes in each session as shown by the table 2, and the
comparison results validates that the computational cost of
our scheme is still acceptable.
According to Table 2, we know that Wen-Li [19] scheme
is more efficient than others since they are only based on
hash operations, but can not provide perfect forward secrecy
and untraceability, additional, these two schemes can not
resist offline password guessing attack once the information
stored in smart card is compromised. Note that, Li et al. [25]
and Li-Zhang [32] schemes can not provide perfect forward
secrecy, use the server’s public key and can not achieve
user’s anonymity if an adversary can know the information
stored in smart card. Therefore, the proposed two-factor
authentication scheme is more practical than other schemes.
In Table 3, we list the statistics of communicational
cost of related schemes in the registration phase and login
& authentication phase respectively. For consistency and
simplicity, the length of one identity or one password is
considered as 32 bits, one nonce is considered as 64 bits,
the output of one block encryption or one hash operation
is considered as 256 bits (e.g. AES-256 and SHA-256), one
element in the large-prime number group Zp∗ is considered
as 1024 bits, one point on the elliptic curve Ep and one scalar
in its p-order group Zp are considered as 160 bits and 80 bits
respectively. By comparison, we can see that our scheme
outperforms all the related schemes except for Li-Zhang’s
scheme [32] with respect to communicational efficiency.
6 C ONCLUSION
In this paper, we proposed an Anonymous Two-Factor
AKE scheme which preserves security against various at-
tacks including de-synchronization attack, lost-smart-card
attack and password guessing attack, and supports sev-
eral desirable properties including perfect forward secrecy,
anonymity or untraceability, adaptively password change,
no centralized password storage, and no long-term public
key. Furthermore, our protocol maintain high efficiency in
terms of storage requirement, communication cost as well
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 9

TABLE 1
Functionalities Comparison

[19] [25] [32] [33] [34] [37] [38] ours

No password table Y Y Y Y Y Y Y Y
No server’s public key Y N N N N Y N Y
Revoke lost SC Y Y N Y N N N Y
Mutual authentication and Key agreement Y Y Y Y Y Y Y Y
Forward secrecy N N N Y N N Y Y
Anonymity or untraceability N Y Y Y Y Y Y Y
Anonymity or untraceability if SC is lost N N N N Y Y Y Y
Against dictionary attack if SC is lost N N Y N Y Y Y Y
Password change Y Y Y Y N Y N Y

TABLE 2
Computation cost comparison

Smart card The server Total Estimated time (ms)

[19] 9H 7H 16H 1.09
[25] 2M+2E+8H 1M+14E+8H 3M+16E+16H 17.55
[32] 2M+7H M+7H 3M+14H 8.46
[33] 3A+6H 3A+5H 6A+11H 19.01
[34] 2A+1E+8H 1A+1E+5H 3A+2E+13H 11.13
[37] 9H 2E+6H 2E+15H 2.14
[38] 3M+8H 3M+6H 6M+14H 15.96
Ours 3M+6H 3M+2E +5H 6M+2E+11H 16.87

TABLE 3
Communication cost comparison

Registration Login and Authentication Total (bits)

[19] 576 1584 2160
[25] 928 1536 2464
[32] 352 1104 1456
[33] 2336 2816 5152
[34] 640 3072 3712
[37] 1568 1568 3136
[38] 704 1120 1824
Ours 368 1376 1744

as computational complexity. Our protocol requires only
a few number of message flows and all the transmitted
messages are short in size. Additional, the proposed scheme
is provably secure in our extended security model of AKE.
Therefore, the proposed scheme is suitable for deployment
in various low-power networks, in particular, the pervasive
and mobile computing networks.
ACKNOWLEDGMENTS
We would like to thank the anonymous referees for their
constructive comments. This research was supported by
the Natural Science Foundation of Zhejiang Province (No.
LZ12F02005), and the Major State Basic Research Develop-
ment (973) Program of China (No. 2013CB834205).
R EFERENCES
[1] A. Valenzano, L. Durante, and M. Cheminod, "Review of security
issues in industrial networks," IEEE Trans. Ind. Inf., vol.9, no. 1,
pp. 277-293, 2013.
[2] V. C. Gungor, and G. P. Hancke, "Industrial wireless sensor net-
works: challenges, design principles and technical approaches,"
IEEE Trans. Ind. Electron., vol. 56, no. 10, pp. 4258-4265, Oct. 2009.
[3] D. Liu, M. C. Lee, and D. Wu, "A Node-to-Node Location Verifica-
tion Method," IEEE Trans. Ind. Electron., vol. 57, no. 5, pp. 1526 -
1537, May 2010.
[4] C. Chang and C. Lee, "A secure single sign-on mechanism for
distributed computer networks," IEEE Trans. Ind. Electron., vol.
59, no. 1, pp. 629-637, Jan. 2012.
[5] G. Wang, J. Yu, and Q. Xie, "Security analysis of a single sign-On
Mechanism for Distributed Computer Networks," IEEE Trans. Ind.
Inf., vol. 9, no. 1, pp. 294-302, 2013.
[6] L. Barolli and F. Xhafa, "JXTA-OVERLAY: A P2P platform for
distributed, collaborative and ubiquitous computing," IEEE Trans.
Ind. Electron., vol. 58, no. 6, pp. 2163-2172, Oct. 2010.
[7] Y. Huang, W. Lin, and H. Li, "Efficient Implementation of RFID
Mutual Authentication Protocol," IEEE Trans. Ind. Electron., vol.
59, no. 12, pp. 4784 - 4791, 2012.
[8] B.Wang and M. Ma, "A server independent authentication scheme
for RFID systems," IEEE Trans. Ind. Inf., vol. 8, no. 3, pp. 689-696,
Aug. 2012.
[9] B. Fabian, T. Ermakova, and C. Muller, "SHARDIS: A privacy-
enhanced discovery service for RFID-based product information,"
IEEE Trans. Ind. Inf., vol. 8, no. 3, pp. 707-718, Aug. 2012.
[10] M. Hwang, and L. Li, "A new remote user authentication scheme
using smart cards," IEEE Trans. Consum. Electron., 2000, 46(1):
28-30.

1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 10

[11] C. Chang, H. Le, C. Lee, and C. Chang, "A robust and efficient [34] D. Wang, N. Wang, P. Wang , S. Qing. Preserving privacy for free
smart card oriented remote user authentication protocol," Intelli- Efficient and provably secure two-factor authentication scheme
gent Information Hiding and Multimedia Signal Processing(IIH- with user anonymity. Information Sciences 321 (2015) 162-178.
MSP), 2011 Seventh International Conference on, pp.252 - 255, [35] D. Wang, D. He, P. Wang, C.H. Chu. Anonymous two-factor
2011. authentication in distributed systems: certain goals are beyond
[12] C. Lee, M. Hwang, and I. Liao, "Security enhancement on a attainment, IEEE Transactions on Dependable and Secure Com-
new authentication scheme with anonymity for wireless environ- puting, 12(4): 428 - 442, 2014.
ments," IEEE Trans. Ind. Electron., vol. 53, no. 5, pp. 1683-1687, [36] E. Bresson, O. Chevassut, and D. Pointcheval, "Security proofs
Oct. 2006. for an efficient password-based key exchange," Proceedings of
[13] J. J. Shen, C. W. Lin, and M. S. Hwang, "A modified remote user the 10th ACM Conference on Computer and Communications
authentication scheme using smart cards," IEEE Trans. Consum. Security, pp. 241-250, 2003.
Electron., 2003, 49(2): 414-416. [37] S. Chaudhry, M. S. Farash, H. Naqvi, S. Kumari, and M. K.
[14] G. Yang, D. S. Wong, H. Wang and X. Deng, "Two-factor mutual Khan, "An enhanced privacy preserving remote user authentica-
authentication based on smart cards and passwords," Journal of tion scheme with provable security", Security Comm. Networks,
Computer and System Sciences, 74(7): 1160-1172, 2008. 8:3782-3795, 2015.
[15] C, Ma, D. Wang, and S. Zhao, "Security flaws in two improved [38] S. Chaudhry, H. Naqvi, K. Mahmood, H. F. Ahmad, and M. K.
remote user authentication schemes using smart cards," Int. J. Khan, "An Improved Remote User Authentication Scheme Us-
Commun. Syst., DOI: 10.1002/dac.2468, 2012. ing Elliptic Curve Cryptography", Wireless Pers. Commun., DOI
[16] D. He, J. Chen, and J. Hu, "Improvement on a smart card based 10.1007/s11277-016-3745-3, 2016.
password authentication scheme," Journal of Internet Technology, [39] S. Chaudhry, "A secure biometric based multi-server authenti-
vol. 13, no. 3, pp. 405-410, 2012. cation scheme for social multimedia networks", Multimed Tools
Appl., 75:12705-12725, 2016.
[17] Q. Xie, "Improvement of a security enhanced one-time two-
[40] A. Irshad, M. Sher, O. Nawaz, S. Chaudhry, I. Khan, and S.
factor authentication and key agreement scheme," Scientia Iranica,
Kumari, "A secure and provable multi-server authenticated key
vol.19, no. 6, pp.1856-1860, 2012.
agreement for TMIS based on Amin et al. scheme", Multimed Tools
[18] M. Khan, S. Kim, and K. Alghathbar, "Cryptanalysis and security Appl., DOI 10.1007/s11042-016-3921-1, 2016.
enhancement of a more efficient and secure dynamic ID-based
remote user authentication scheme. Computer Communications,
34:305-309, 2011.
[19] F. Wen, and X. Li, "An improved dynamic ID-based remote user
authentication with key agreement scheme," Computers and Elec-
trical Engineering, 38(2):381-387, 2012.
[20] M. Witteman, "Advances in smartcard security", Information Se-
curity Bulletin," 7 (2002): 11-22, 2002.
[21] P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," Ad-
vances in Cryptology (Crypto ’99), pp. 388-397, 1999. Qi Xie is a professor in Hangzhou Key Lab-
[22] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, "Examining smart- oratory of Cryptography and Network Secu-
card security under the threat of power analysis attacks," IEEE rity, Hangzhou Normal University, China. He re-
Transactions on Computers, vol. 51, no.5, pp. 541-552, 2002. ceived his PhD degree in applied mathematics
[23] W. Juang, S. Chen, and H. Liaw, "Robust and efficient password from Zhejiang University, China, in 2005. He was
authenticated key agreement using smart cards," IEEE Trans. Ind. a visiting scholar between 2009 and 2010 at
Electron., vol. 15, no. 6, pp. 2551-2556, Jun. 2008. Department of Computer Science, University of
[24] D. Sun, J. Huai, J. Sun, J. Li, J. Zhang, and Z. Feng, "Improvements Birmingham in UK, and a visiting scholar to the
of Juang et al.’s password-authenticated key agreement scheme Department of Computer Science at City Univer-
using smart cards," IEEE Trans. Ind. Electron., vol. 56, no. 6, pp. sity of Hong Kong in 2012. His research area
2284-2291, Jun. 2009. is applied cryptography, including digital signa-
tures, authentication and key agreement protocols etc. He has published
[25] X. X. Li, W. D. Qiu, D. Zheng, K. F. Chen, J. H. Li, "Anonymity
over 60 research papers in international journals and conferences, and
enhancement on Robust and efficient password-authenticated key
served as general co-chair of ISPEC2012 and ASIACCS2013, and a
agreement scheme using smart cards," IEEE Trans. Ind. Electron.,
reviewer for over 20 international journals.
vol. 57, no. 2, pp. 793-800, Feb. 2010.
[26] H. Chen, Y. Xiao, X. Hong, F. Hu, and J. Xie, "A survey of
anonymity in wireless communication systems," Security Comm.
Networks. 2009(2): 427-444.
[27] C. Fan, Y. Chan, and Z. Zhang, "Robust remote authentication
scheme with smart cards," Comput. Secur., vol. 24, no. 8, pp. 619-
628, Nov. 2005.
[28] M. L. Das, A. Saxena, and V. P. Gulati, "A dynamic ID-based re-
mote user authentication scheme," IEEE Trans. Consum. Electron.,
Vol. 50, no. 2, pp.629-631, 2004. Duncan S. Wong received the B.Eng. degree
[29] R. Madhusudhan, and R. C. Mittal, "Dynamic ID-based remote from the University of Hong Kong in 1994, the
user password authentication schemes using smart cards: A re- M.Phil. degree from the Chinese University of
view," Journal of Network and Computer Applications, 35 (2012), Hong Kong in 1998, and the Ph.D. degree from
1235-1248, 2012. Northeastern University, Boston, MA, U.S.A. in
[30] D. He, and H. Hu, "Cryptanalysis of a dynamic ID-based remote 2002. He worked at the City University of Hong
user authentication scheme with access control for multi-server Kong for 12 years, and was appointed to the po-
environment," IEICE Trans. Inf. Sys., vol. E96-D, no. 1, pp. 1-3, sition of Director of Exploratory Research Lab-
2013. oratory (ERL) in ASTRI from August 2014. His
research interests include applied cryptography
[31] Y. Y. Wang, J. Y. Liu, F. X. Xiao, and J. Dan, "A more efficient
and information security. He has authored over
and secure dynamic ID-based remote user authentication scheme,"
200 research papers in international journals and conferences, and
Computer Communications, vol. 32, pp. 583-585, 2009.
served as a member including the chair of the program committee
[32] X. Li, and Y. Zhang, "A simple and robust anonymous two-factor for over 90 international conferences in cryptography and information
authenticated key exchange protocol," Security Comm. Networks, security.
vol.6, no.5, pp.631-643,2013.
[33] V. Odelu, A. K. Das, A. Goswami. An Effective and Robust
Secure Remote User Authenticated Key Agreement Scheme Using
Smart Cards in Wireless Communication Systems. Wireless Pers
Commun, 2015, DOI 10.1007/s11277-015-2721-7.

1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2659640, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 11

Guilin Wang received the Ph.D. degree in com-

puter science from the Institute of Software, Chi-
nese Academy of Sciences, Beijing, China, in
2001. He is currently a senior researcher with
Huawei International Pte Ltd, Singapore. Before
this, he was a Senior Lecturer at the University
of Wollongong, Australia, a Lecturer at the Uni-
versity of Birmingham, Birmingham, U.K., a Re-
search Scientist at the Institute for Infocomm Re-
search, Singapore, and an Assistant Professor
at the Chinese Academy of Sciences, Beijing,
China. He has authored or coauthored more than 80 research publi-
cations in the areas of applied cryptography and telecommunications
security. His main research interests include the analysis, design, and
applications of digital signatures and security protocols. Dr.Wang has
served as a program co-chair for six international security conferences,
and a reviewer for over 20 international journals.

Xiao Tan received the B.S. and M.S. degrees

from Fudan University, in 2007 and 2010, and
received the Ph.D. degree from City University
of Hong Kong in 2014, respectively. He is now a
lecturer in Hangzhou Normal University, China.
His main research interests include applied cryp-
tography and information security, in particular,
cloud storage security, fair exchange protocols,
authenticated key agreement, and other crypto-
graphic schemes.

Kefei Chen is a professor in Hangzhou Key

Laboratory of Cryptography and Network Se-
curity, Hangzhou Normal University, China. He
received the B.S. and the M.S. degree in applied
mathematics from Xidian University, Xidian, in
1982 and 1985, respectively, and the Ph.D. de-
gree from Justus-Liebig University, Germany, in
1994. From 1996 to 2012 he served as a pro-
fessor in the Department of Computer Science,
Shanghai Jiaotong University, and joined to the
School of Science, Hangzhou Normal University
since 2013. Dr Chen has been concentrated his work in cryptography
and information security in the past years, and has been awarded many
projects such as National Natural Science Foundation of China and
National High-Tech Programs of China etc, he is also the author of more
than 200 research papers and 9 books.

Liming Fang received the Ph.D. degree in Com-

puter Science from Nanjing University of Aero-
nautics and Astronautics in 2012, and has been
the Postdoc in the information security from City
University of Hong Kong. He is the associate
professor at the School of Computer Science,
Nanjing University of Aeronautics and Astronau-
tics. Now, he is a visiting scholar of Department
of Electrical and Computer Engineering at the
New Jersey Institute of Technology (NJIT). His
current research interests include cryptography
and information security. His recent work has focused on the topics of
public key encryption with keyword search, proxy re-encryption, identity-
based encryption, and techniques for resistance to CCA attacks.

1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.