Journal of Ambient Intelligence and Humanized Computing

https://doi.org/10.1007/s12652-019-01388-x

ORIGINAL RESEARCH

eUASBP: enhanced user authentication scheme based on bilinear

pairing
Sangeetha Rajaram1 · Tanmoy Maitra2 · Satyanarayana Vollala4   · N. Ramasubramanian1 · Ruhul Amin3

Received: 13 March 2019 / Accepted: 2 July 2019

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Abstract
One of the cryptographic services i.e., authentication is very essential for the servers to identify authorized users and to
neglect unauthorized users. In this work, we have considered Awasthi’s scheme and shown that the same scheme is vulner-
able to several serious attacks. This paper not only describes the security pitfalls of Awasthi’s scheme but also designs a
new scheme using bilinear pairing to protect the system from existing security drawbacks with other attractive features like
strong mutual authentication, smart card stolen threat protection. Strong security of eUASBP is ensured through security
analysis of eUASBP based on BAN logic. eUASBP reaches the BAN logic goals by the application of BAN rules. Our
informal security analysis shows that proposed eUASBP provides security against attacks possible with smart card based
applications. In addition to that eUASBP provides mutual authentication, session key agreement, and early wrong password
detection. Bayat et al. authentication scheme also provides security against possible attacks of smart card based applications
but doesn’t support session key agreement and early wrong password detection. Computation cost of eUASBP is less when
compared with other authentication schemes. Since eUASBP uses less number of bilinear operations when compared with
other related authentication schemes. The performance analysis shows that our protocol is more secure in comparison with
state of the art and also better in terms of storage, computation and communication overheads.

Keywords  BAN logic · Authentication · Bilinear pairing · Session key agreement

1 Introduction

This millennium world is in need of speed everywhere and

* Satyanarayana Vollala people depend on the applications that do remote access
satya4nitt@gmail.com; satya@iiitnr.edu.in of the servers. And those remote servers need to authenti-
Sangeetha Rajaram cate the users to identify the authorized ones and to neglect
sangeethavinashi@gmail.com unauthorized ones. In order to avoid misuse of a specific
Tanmoy Maitra service or theft user authentication is very essential. Since
tanmoy.maitra@live.com most applications use a public computer networks and chan-
N. Ramasubramanian nels for communication. General ways of authentication are
nrs@nitt.edu smart cards, passwords and biometric measures. Smart card
Ruhul Amin based applications that require password are considered in
amin_ruhul@live.com this paper. Several smart card based applications are, identity
card of an employee/a student—to track attendance, ATM
1
Department of Computer Science and Engineering, National card for banking—customer holds to perform various bank-
Institute of Technology, Tiruchirappalli 620015, India
ing operations, citizen card of a nation—to provide various
2
Department of Computer Science and Engineering, KIIT services for a citizen, purchase card of a company—to cal-
University, Bhuvaneshwar, India
culate bills and to track customers, wireless sensor network
3
Department of Computer Science and Engineering, IIIT, based applications—to track a person/to provide service in
Naya Raipur, India
a specified region.
4
Department of Computer Science and Engineering, IIIT,
Naya Raipur, India

13
Vol.:(0123456789)

Password based authentication is the simplest and easi-
est method of user authentication. In most of the password
based authentication schemes users/clients are allowed to
select their own password. Passwords selected by the users
are not only prone to cryptographic computational attacks
but also to guessing attacks and other type of attacks. So
users must be educated to choose their passwords and to
maintain them. Passwords chosen should not be easily
guessable like family member’s name or other known per-
sonal details available in the dictionary. Frequent change of
password should be encouraged. The newly chosen pass-
word should not be similar to the old one (e.g. old pass-
word: Michelin, new password: Michelin50). Users should
not reveal the password to others. Users should not reveal
the time period of their utilization of the service.
For better security reasons magnetic strip based smart
cards are getting replaced by EMV (Europay, MasterCard,
and Visa/chip and PIN) based smart cards. EMV cards can-
not be cloned easily like magnetic strip cards (Bond et al.
2015).
In smart card based applications, smart card is available
with the users. Users must be instructed to hold their cards
securely and not to give others on any reasons for security. A
mathematical professor Awasthi proposed an authentication
scheme for smart card based applications in the year 2012.
This paper analyses Awasthi’s scheme and finds the pitfalls
of that authentication scheme. And proposes a novel authen-
tication scheme called eUASBP—enhanced user authenti-
cation scheme based on bilinear pairing. Security analysis
of eUASBP is done through BAN logic. Security analysis
ensures eUASBP is strong against many attacks and over-
comes the pitfalls of Awasthi’s scheme. Awasthi’s scheme
uses public key cryptographic algorithms that lead to higher
computational cost. eUASBP does not use public key cryp-
tographic algorithms thereby reduces computational cost.
But general characteristic of public key cryptography is to
provide strong security than only hash based cryptography.
Elliptic curve cryptography (ECC) provides the same secu-
rity strength as like RSA but with the minimum key size. For
example 1024 bit key of RSA can provide the same security
strength like 160 bit key size of ECC. ECC is highly recom-
mended for embedded and wireless devices for its minimal
key size and reduced computational cost (Maletsky 2015).
Bilinear pairing based cryptography is being used by
many applications for its compactness and high security.
Some of the applications are smart grids, mobile Pay-TV
systems, mobile vehicular systems (Tsai and Lo 2015; Nica-
nfar et al. 2014; Sun and Leu 2009). Electric/battery vehi-
cles need to charge at charging stations. During the charging
process vehicle’s information is to be given for the servers.
This information may be misused. In order to provide secu-
rity in this case bilinear pairing is being used (Saxena and
Choi 2016).
13
S. Rajaram et al.
In wireless medical sensor networks (WMSN) security
and authentication is a challenge because of its remote nodes
and its limited capabilities. ECC based authentication proto-
col has been suggested by many researchers for WMSN for
its minimal key size and reduced computational complexity
without sacrificing security aspect (Li et al. 2019). Indus-
trial Internet of Things (IIOT) applications mostly make use
of wireless sensor networks in addition to cloud computing
for their operations. Since the medium of communication is
wireless, IIOT systems are vulnerable to attacks by adversar-
ies. ECC based authentication schemes have been proposed
by researchers to provide better security with light weight
computations (Li et al. 2018a, b).
eUASBP’s computation cost is low when compared with
the other bilinear pairing based authentication schemes.
Since eUASBP uses less number of bilinear pairing opera-
tions. eUASBP not only protects the application from possi-
ble attacks, but also provides mutual authentication, session
key agreement, and early wrong password detection. Storage
and communication cost of eUASBP is not too high or very
less when compared with other authentication schemes.
Remaining of the paper is arranged in the succeed-
ing manner. Section 2 discuss about the related works of
eUASBP. Section 3 gives prior knowledge of the notations
and equations used. Section 4 depicts Awasthi’s scheme.
Section 5 analyses the security features of Awasthi’s scheme.
In Sect. 6, demonstration of eUASBP is done. Section 7
elaborates the security analysis of eUASBP. Section 8 gives
the performance results of eUASBP and compares with the
other authentication schemes. Section 9 concludes the paper.
2 Related works
There are many authentication schemes proposed by many
authors based on bilinear pairing. Das et al. proposed an
authentication scheme that prevents multiple logins of a
same user, do not store users’ passwords, and allows users
to replace their old password with the new one without the
intervention of remote server. The attacks eliminated by
this authentication scheme are forgery attack, replay attack,
and insider attack (Das et al. 2006). Chou et al. proved that
Das et al. authentication scheme doesn’t provide protection
against impersonation attack (Chou et al. 2005). Thulasi
et al. had proven the limitations of Das et al. authentica-
tion scheme and Chou, Chen et al. authentication scheme.
But never gave a solution for that (Goriparthi et al. 2006).
Fang and Huang have given a solution to overcome the for-
gery and replay attacks that are the weaknesses mentioned
above by proposing a new authentication protocol (Fang
and Huang 2006). Giri and Srivastava proposed an authen-
tication scheme that overcomes the limitations of Fang and
Huang’s scheme by eliminating Forgery, offline, and insider
eUASBP: enhanced user authentication scheme based on bilinear pairing

attacks (Giri and Srivastava 2006). Awasthi analyzed Fang 1. ̂

e(M + N, O) = ̂e(M, O) + ̂e(N, O) , ∀M, N, O ∈ Gr1
and Huang’s scheme and Giri and Srivastava’s scheme and 2. ̂
e(M, N + O) = ̂ e(M, O) , ∀M, N, O ∈ Gr1
e(M,N) + ̂
gave a new authentication scheme that neglects the limita- 3. ̂
e(pM, qN) = ̂e(M, N)pq = ̂
e(pqM,N) = ̂ e(M, pqN),
tions of both the schemes mentioned (Awasthi 2012). Jia ∀M,N,O ∈ Gr1
et al. unveiled an authentication scheme that eliminates 4. ̂
e(pM,N) = ̂e(M,N)p = ̂e(M,pN) , ∀M,N,O ∈ Gr1
the vulnerabilities found by Thulasi et al. utilizing Elliptic 5. ̂
e(M,qN) = ̂e(M,N)q = ̂e(qM,N) , ∀M,N,O ∈ Gr1
Curve ELGamal cryptography (Jia et al. 2006). Bayat and
Sabzinejad analyzed Goriparthi et al. scheme and Tseng
et al. scheme and released an authentication scheme that 4 Awasthi’s scheme (Awasthi 2012)
eliminated all the flaws found in both the schemes (Bayat
et al. 2010). Das, Saxena and Gulati proposed an authenti- This scheme is operated in four steps as described below:
cation scheme supported by bilinear pairing that provides
dynamic ID for every login and does not preserve verifier 4.1 Initialization
table. Obviously the proposed scheme is protected against
ID theft and other security loop holes (Das et al. 2004). RS selects Gr1 , Gr2 , sK and calculates Ppub as sK.RP. Even
Goriparthi et al. showed that Das et al. authentication a secure encryption/decryption algorithm E(.) based on sK
scheme and Chou et al. authentication scheme are insecure is chosen. RS keeps sK as secret and other parameters as
against several attacks and gave a new authentication scheme public.
(Goriparthi et al. 2009; Das et al. 2004; Chou et al. 2005).
Tseng et al. gave an authentication scheme based on compu- 4.2 User’s registration
tational DH assumption that improves the performance and
reduces the computational cost. It is well suited for mobile User/Client X submits identity IDx and a chosen password
devices and supports multi-server environment (Tseng PWx to the RS through a secure private channel. RS computes
et al. 2008). The proposed eUASBP uses less number of the following, SPx = PWx .Ppub , REGIDx = sK.hf1 (IDx ) + SPx
bilinear operations when compared with other authentica- and returns the following parameters for the User’s smart
tion schemes, thereby reduces computational cost. eUASBP card to store, ⟨Ppub , REGIDx , IDx , hf1 (.)⟩.
provides security against all possible attacks related to
smart card based application. In addition it provides mutual 4.3 User’s login
authentication, early wrong password detection, and session
key agreement. Whenever a registered user needs to acquire service of the
RS, he/she induce the authentication process by inserting
a smart card into the card reader. User/Client X enters the
3 Preliminaries identity IDx and password PWx . Next, the smart card work
outs the following calculations:
Notations used in this paper are presented in Table 1. Bilin-
ear mapping must satisfy three properties. Among those Ax = PWx .Ppub , Bx = REGIDx − Ax
bilinear property that is useful for computations is elabo- A random cardinal n is chosen and the following are
rated over here. computed:
Cx = EPpub (n)
Table 1  Expansion of important terms Dx = Tx .Bx + n.Ppub    (∵ Tx present timestamp of the User/
Terms Expansion Client X)
⟨IDx , Cx , Dx , Tx ⟩ are sent to the RS through a common
RS Remote server
channel.
Gr1 Cyclic additive group
Gr2 Cyclic multiplicative group
4.4 User verification
RP Generator for Gr1
q Prime order of cyclic groups
On receiving ⟨IDx , Cx , Dx , Tx ⟩ , RS computes the following to
ê (X, Y) Bi-linear pairing
verify the User/Client X. Format of the IDx is checked, if it
hf1 ∶ {0, 1}∗ → Gr1 Bilinear mapping
is in a valid format then the following are done:
ê ∶ Gr1 × Gr2 → Gr2 Bilinear mapping
If (T∗x − Tx ) ≤ ΔT
sK Secret key
Then MRS = EsK (Cx )    (∵ T∗x—present timestamp of the
Ppub = sK.RP Public-key calculation
RS, ΔT —allowed transmission delay)

13
 S. Rajaram et al.

NRS = MRS .Ppub are computed. Correctness of above equation

If ̂ e(hf1 (IDx ), Ppub )T
e(Dx − NRS , RP) = ̂ ̂
e(REGIDx , RP)
Then the User/Client X is accepted by the RS
=̂
e(sK.hf1 (IDx ) + SPx , RP)
else rejected.
e(sK.hf1 (IDx ), RP) + ̂
=̂ e(SPx , RP)
4.5 Password change request =̂
e(hf1 (IDx ), sK.RP) + ̂
e(PWx .Ppub , RP)
=̂
e(hf1 (IDx ), Ppub ) + ̂
e(Ppub , RP)PWx
By receiving existing user identity, password and a new
password, RS ensures the user/client X by using existing
identity and password as mentioned in the Sects. 4.3 and 4.4. Step 2: The adversary chooses a password PWattk x
 . And
And RS makes a new registration by using existing identity verifies ̂e(REGIDx , RP) = ̂
e(hf1 (IDx) , Ppub) + ̂
e(Ppub , RP)
and a new password as mentioned in the Sect. 4.2. PWattk
x
 . If LHS matches with the RHS, password
obtained successfully else Step3 is followed.
Step 3: Adversary chooses another password and proceeds
5 Security pitfalls of Awasthi’s scheme with the Step 2. Low entropy property helps in finding
the password soon. With the help of mask attack, dic-
This section discusses and ensures the security weaknesses/ tionary attack, and rule based attack password finding
pitfalls of Awasthi’s scheme. By analyzing the power con- could be made faster.
sumption by the smart card, the values stored in it could be
obtained (Kocher et al. 1999; Messerges et al. 2002). Then
by using those values, the messages communicated between 5.2 Extension of password guessing attack
the RS and user could be trapped by the adversary. Based on
the assumptions mentioned by Amin and Biswas, it is proved By the successful finding of a password, adversary can find
that Awasthi’s scheme is open to privileged insider attack and Bx = sK.hf1 (IDx ) by computing REGIDx − PWx .Ppub . Then
offline password guessing attacks (Amin and Biswas 2015a, b). forgery and theft attacks are made possible in Awasthi’s
scheme as described below. [Forgery attack] Adversary
5.1 Offline password guessing attack chooses a timestamp T∗x where (T∗RS − T∗x ) ≤ ΔT and a
random cardinal n∗ . Then calculates Cattk x
= EPpub (n∗ ) ,
This attack has several advantages over online password Dattk = T∗x .Bx + n∗ .Ppub   . T h e fo r g e d l o g i n m e s -
cracking. It does not leave any trace on the target system and
x
sage ⟨IDx , Cattk , D attk ∗
, T ⟩ is sent to the RS. RS checks
has enough time for manipulations. This attack is a combina- x x x

tion of several basic cryptographic attacks like brute force (TRS − Tx ) ≤ ΔT  , it will be true. Then MRS = EsK (Cattk
∗ ∗
x
) ,
attack, mask attack, dictionary attack, power analysis attack NRS = MRS .Ppub are computed by the RS. RS checks
and rule based attack (Katz et al. 1996; Stallings 2006; Ur e(Dattk
̂ x
− NRS , RP) = (̂ e(hf1 (IDx ), Ppub ))Tx∗ . It will be equal
et al. 2015; Summers and Bosworth 2004). Offline password because adversary can compute sK.hf1 (IDx) correctly. So the
guessing attack does power analysis attack followed by the forgery attack is successful by the acceptance of RS. [Theft
combination of other attacks mentioned in order to obtain attack] Adversary chooses a password of his choice PW∗x ,
the password stored in the smartcard. Now a days user is then computes REGattk ID
= Bx + PW∗x .Ppub . Adversary stores
allowed to choose their password by their own for their per- the manipulated REGIDx along with the other information
attk

sonal comfort in most of the authentication schemes. But into the smart card as ⟨Ppub , REGattk , IDx , hf1 (.)⟩ . Adversary
user chosen passwords are easily prone to dictionary attack.
IDx
uses the smart card until it is found to be malpracticed or
By extracting the parameters ⟨Ppub , REGIDx , IDx , hf1 (.)⟩ from missing or blocked.
the card memory through power analysis, the adversary can
find out the password by proceeding with the following com- 5.3 Privileged insider attack
putational steps:
If an Adversary with privileges like system manager in the
Step 1: Adversary computes ̂ e(REGIDx , RP) that is equiva- RS end attacks the user X by obtaining the password PWx
lent to ̂ e(Ppub , RP)PWx . The adver-
e(hf1 (IDx ), Ppub ) + ̂ is called privileged insider attack. Adversary may use this
sary knows all the parameters except the password. So password PWx to access other accounts of the user X. In
he/she can ensure the guessed password by matching Awasthi’s scheme, user sends the password PWx directly
LHS of the following equation with the RHS. to the RS. So privileged insider attack is being allowed by
̂
e(REGIDx , RP) = ̂
e(hf1 (IDx ), Ppub ) + ̂
e(Ppub , RP)PWx Awasthi’s scheme.

13
eUASBP: enhanced user authentication scheme based on bilinear pairing

5.4 Efficiency analysis n∗ , Ax = PWx .Ppub , Bx = REGIDx − Ax , Cx = EPpub (n∗ ) ,
Dx = Tx .Bx + n∗ .Ppub , where Tx is present timestamp of
Incorrect login information in the login phase leads to the User/Client X, ⟨ID[faulty] x
, Cx , Dx , Tx ⟩ are sent to the
unnecessary computation and communication overhead, if RS through a common channel. By receiving the above
it is not properly handled. An efficient user authentication RS checks the format of identity IDx , it is not valid. So
scheme handles incorrect information in the login phase and RS stops the session and rejects the user X.
avoids unnecessary computational overhead and traffic in the Case 3: Incorrect identity and wrong password
communication channel. Awasthi’s scheme does not handle  User X enters incorrect identity ID[faulty] x
and incorrect
incorrect login information in the login phase. So it pro- password PW[faulty] x
by mistake on the display of card
ceeds with the execution of further steps and leads to extra reader machine during login phase.Smart card com-
computation and communication overhead. It is described putes the following by choosing a random cardinal n∗ ,
by the following cases. A[faulty]
x
= PW[faulty]
x
.Ppub  , B[faulty]
x
= REGIDx − A[faulty]
x
 ,
Cx = EPpub (n ) , Dx
∗ [faulty]
= Tx .Bx [faulty]
+ n .Ppub , where
∗

Case 1: Correct identity and incorrect password Tx is present timestamp of the User/Client X,
 User X enters correct identity IDx and incorrect ⟨ID[faulty] , Cx , D[faulty] , Tx ⟩ are sent to the RS through a
x x
password PW[faulty]
x
by mistake on the display of card common channel. By receiving the above RS checks the
reader machine during login phase. Smart card com- format of identity ID[faulty]  , it is not valid. So RS stops
x
putes the following by choosing a random cardinal n∗ , the session and rejects the user X.
A[faulty]
x
= PW[faulty]
x
.Ppub  , B[faulty]
x
= REGIDx − A[faulty]
x
 , Case 4: Adversary can modify the login message clev-
Cx = EPpub (n ) , Dx
∗ [faulty] [faulty]
= Tx .Bx + n .Ppub , where
∗ erly by knowing the computations or by simply
Tx is present timestamp of the User/Client X, editing. Adversary can retrieve the login informa-
⟨IDx , Cx , D[faulty]
x
, Tx ⟩ are sent to the RS through a com- tion ⟨IDx , Cx , Dx , Tx ⟩ from user X and swap with
mon channel. By receiving the above RS checks the ⟨IDx , Cx , D∗x , Tx ⟩ , where D∗x = hf1 (Dx ) . Upon receiving
format of identity IDx , if it is valid proceeds with the the login message RS does computations as mentioned in
following. If (T∗x − Tx ) ≤ ΔT   , ( T∗x —present times- the prior cases. While comparing ̂ e(D∗x − NRS , RP) with
tamp of the RS, ΔT —allowed transmission delay) e(hf1 (IDx ), Ppub )Tx , surely they will not match because
̂
Then MRS = EsK (Cx )  , NRS = MRS .Ppub are com- D∗x − NRS = hf1 (Dx ) − NRS = hf1 (Tx ⋅ sK ⋅ hf1 (IDx ) + n⋅
puted. Then checks whether ̂ e(D[faulty]
x
− NRS , RP) = Ppub ) − n ⋅ Ppub ≠ sK ⋅ Tx ⋅ hf1 (IDx ) . So RS denies the
e(hf1 (IDx ), Ppub ) , LHS won’t match with the RHS
̂ Tx user X and closes the session. In Case 1, Case 2 and Case
because LHS value is wrong by the entry of incorrect 3, login phase of the authentication process is executed
password. The corresponding calculations are shown even by receiving wrong identity or password by the RS.
below. So it slows down the server and application by unneces-
sary operations and traffic. In all the cases user’s session
e(D[faulty]
̂ x
− NRS , RP) are getting closed suddenly. So user may not know the
e(Tx .B[faulty]
=̂ + n∗ .Ppub − n∗ .Ppub , RP) reason for session termination. So this inefficient input
x
handling provides confusion to users and pays more for
e(Tx .B[faulty]
=̂ , RP)
x load and time.
e(REGIDx − A[faulty]
=̂ x
, RP)Tx
e(REGIDx − PWx[faulty] .Ppub , RP)Tx
=̂
=̂
e(sK.hf1 (IDx ) + PWx .Ppub 6 Proposed eUASBP
− PWx[faulty] .Ppub , RP)Tx (∵REGIDx This section proposes a protocol that eliminates the security
= sK.hf1 (IDx ) + PWx .Ppub ) pitfalls of Awasthi’s scheme. The proposed eUASBP proto-
e(sK.hf1 (IDx ), RP)Tx or̂
≠̂ e(hf1 (IDx ), sK.RP)Tx col operation involves five steps. They are described below.

6.1 Initialization phase
or ̂e(hf1 (IDx ), Ppub )Tx  , since PW[faulty]
x
≠ PWx So, RS
rejects the user X and terminates the session.
RS gets a security parameter K ∈ Zw for some value w and
Case 2: Incorrect identity and correct password
runs algorithm G ̂ to produce a prime order q > 2K  . RS selects
 User X enters identity ID[faulty] by mistake in incor-
x Gr1 , Gr2 , sK and calculates Ppub as sK.RP and ̂
e(RP, RP) =∝
rect format and correct password PWx on the display
Even a secure encryption/decryption algorithm E(.) based on
of card reader machine during login phase. Smart card
sK is chosen and one way hash function hf1 ∶ {0, 1}∗ → Z∗q .
computes the following by choosing a random cardinal

13

RS keeps sK as secret and other parameters as public. This
phase is depicted in Fig. 1.
6.2 User’s registration phase
A new User/Client X provides identity IDx and a cho-
sen password PWx   . Then PWDx = hf1 (PWx,y ) is calcu-
lated, where y is a random cardinal chosen by the User/
Fig. 1  Initialization phase of eUASBP 
Fig. 2  User’s registration phase of eUASBP 
13
S. Rajaram et al.
Client X. After that ⟨IDx , PWDx ⟩ are sent to RS through
a secure private channel. Upon receiving ⟨IDx , PWDx ⟩ ,
RS computes the following, Rx = hf1 (sK , IDx ) ⊕ PWDx ,
REGIDx = hf1 (sK, IDx ) ⋅ PWDx ⋅ RP . And returns the fol-
lowing parameters for the User’s smart card to store,
⟨Rx , REGIDx , hf1 (.), RP, Ppub ⟩ . By receiving the smart card
User/Client X records y into the smartcard and keeps it safely
for further use.This phase is depicted in Fig. 2.
6.3 User’s login phase
At any time a registered user needs to acquire service
of the RS, he/she induces by inserting a smart card into
the card reader. User/Client X enters the identity IDx
and PWx . Next the smart card works out the following,
PWD∗x = hf1 (PWx ⋅ y)   , L0 = Rx ⊕ PWDx = hf1 (sK,IDx )  ,
REG∗IDx = L0 .PWD∗x .RP . After that the card reader checks
whether REG∗IDx matches with REGIDx or not. If they
match the card reader proceeds with the following com-
putations else closes the session. A random cardinal y1 is
chosen by the smart card and the following are computed,
L1 = hf1 (y1 , Tx ) , L2 = hf1 (PWD∗x , L1 ) , L3 = (L0 + L2 ) ⋅ Ppub
and L4 = PWD∗x ⊕ L1 , where Tx is the present login times-
tamp. After calculating the above, login request message
eUASBP: enhanced user authentication scheme based on bilinear pairing

⟨IDx , Rx , L3 , L4 , Tx ⟩ is sent to the RS through a common chan- (Ts − Tu ) ≤ ΔT  . If both the conditions are valid, RS com-
nel.This phase is depicted in Fig. 3. putes A0 = hf1 (sK,IDx )  , derives PWD′x by calculating
Rx ⊕ A0 , derives L�1 = hf1 (y1 , Tx ) by computing PWD′x ⊕ L4
6.3.1 Correctness of REG∗IDx = REGIDx and computes L�2 = hf1 (PWD�x , L�1 )  . Then RS matches
e(L3x , RP) with ∝{sK.(A0 +L2 )} , if they match authentica-
�
̂
L0 = Rx ⊕ PWD∗x tion process proceeds further else the session closes. RS
= hf1 (sK, IDx ) ⊕ PWDx ⊕ PWD∗x (∵ [SinceRx chooses a random number y2 and computes A1 = hf1 (y2 , Ts ) ,
= hf1 (sK, IDx ) ⊕ PWDx ] A2 = hf1 (A0 , A1 ) , A3 = A2 .PWD�x .RP  , y3 = L�1 ⊕ A1 and
session key ssK = hf1 (A2 , L�1 , A1 , L�2 ) . It then transmits a
= hf1 (sK, IDx ) (∵PWD∗x = PWDx )
reply message ⟨A3 , y3 , Ts ⟩ to user X. On receiving the mes-
REG∗IDx = L0 .PWD∗x .RP sage ⟨A3 , y3 , Ts ⟩ at timestamp Tr  , the smartcard checks
= hf1 (sK, IDx ).PWD∗x .RP the validity (Tr − Ts ) ≤ ΔT  . If it is valid the smartcard
= REGIDx (∵PWD∗x = PWDx ) derives A∗1 = hf1 (y2 , Ts ) by computing y3 ⊕ L1 , calculates
A∗2 = hf1 (L0 , A∗1 ) , A∗3 = A2 .PWD∗x .RP and checks whether
A∗3 = A3 different or not. If they are not different, mutual
authentication is achieved and the smartcard calculates ses-
6.4 User’s authentication phase sion key as ssK = hf1 (A∗2 , L1 , A∗1 , L2 ) for secure data com-
munication.This phase is depicted in Fig. 4.
Upon getting the login message ⟨IDx , Rx , L3 , L4 , Tx ⟩ at
timestamp Ts , RS checks the format of IDx as the fore-
most operation and checks the timestamp validity by

Fig. 3  User’s login phase of eUASBP 

13
 S. Rajaram et al.

Fig. 4  User’s authentication phase of eUASBP 

{ }
6.4.1 Correctness of ̂
e(L3x , RP) = ∝
�
sK .(A0 +L2 ) 6.5 Password change phase

̂
e(L3x , RP) By receiving existing user identity, password and a new
=̂
e((L0 + L2 ).Ppub , RP) password, RS ensures the user/client X by using existing
identity and password as mentioned in the Sects. 6.3, 6.4.
e(L0 .Ppub , RP) × ̂
=̂ e(L2 .Ppub , RP)
And RS makes a new registration by using existing identity
e(L0 .sK.RP, RP) × ̂
=̂ e(L2 .sK.RP, RP) (∵Ppub and a new password as mentioned in the Sect. 6.2.
= sK.RP
e(RP, RP)sK.L0 × ̂
=̂ e(RP, RP)sK.L2
7 Formal and informal security analysis
=∝sK.L0 × ∝sK.L2
of eUASBP
=∝(sK.(L0 +L2 ))
=∝(sK.(A0 +L2 )) (∵A0 = L0 = H(sK, IDx ) Formal and informal security analysis of eUASBP is done in
this section. Formal security analysis is done through BAN
=∝(sK.(A0 +L2 )) (∵L2 = L2� )
logic (Burrows et al. 1989; Abadi and Tuttle 1990; Tsai et al.
2010). It validates the security features of eUASBP to ensure

13
eUASBP: enhanced user authentication scheme based on bilinear pairing

session key agreement to be made between user/client and the
RS, mutual authentication. Informal security analysis is done
by analyzing eUASBP protocol against several relevant attacks
(Burrows et al. 1989; Abadi and Tuttle 1990; Tsai et al. 2010).
7.1 Authentication proof for eUASBP by BAN logic
(Burrows et al. 1989; Abadi and Tuttle 1990; Tsai
et al. 2010)
eUASBP should fulfill four logic goals to ensure its secure
nature against BAN logic as given below.
sK
Goal 1: Ux | ≡ Ux ↔RS
sK
Goal 2: Ux | ≡ RS| ≡ Ux ↔RS
sK
Goal 3: RS| ≡ Ux ↔RS
7.1.3 Idealized form of eUASBP is analyzed based on BAN
logic rules and assumptions. Proofs are described
below
Message 1:
Ux → RS:IDx , Rx , L3 ∶ ⟨L1 ⟩(L0 , PWDx , Ppub ), L4 ∶ ⟨L1 ⟩PWDx
S1:RS ⊲ IDx , Rx , L3 ∶ ⟨L1 ⟩(L0 , PWDx , Ppub ), L4 ∶ ⟨L1 ⟩PWDx
by receiving rule.
As per A6,S1, the message meaning rule is used to derive
S2 ∶ RS| ≡ Ux | ∼ L1
As per A2, S2, the nonce-verification rule and freshness-
conjuncatenation rule are used to derive

Goal 4: RS|Ux | ≡ Ux ↔RS

sK
S3 ∶ RS| ≡ Ux | ≡ L1 , where L1 is the essential parameter
for session key.

Explanation of goals:
sKis agreed among user/client Ux and remote server RS.
Goal 1: Ux believes in the above condition
Goal 2: Ux believes that RS also believes in the above condi-
tion
Goal 3: RS believes in the above condition
Goal 4: RS believes that Ux also believes in the above condi-
tion
As per A2, and S3 the session key rule is used to derive
sK
S4 ∶ RS| ≡ Ux ↔RS...................(Goal 3)
As per A1, and S3 the nonce-verification rule is used to derive:
sK
S5 ∶ RS| ≡ Ux | ≡ Ux ↔RS...........(Goal 4)
Message 2:

RS → Ux ∶ A3 ∶ ⟨A1 ⟩( hf1 (sK,IDx ), PWDx , y3 ∶ ⟨A1 ⟩L1

7.1.1 The proposed eUASBP is transformed
S6 ∶ Ux ⊲ A3 ∶ ⟨A1 ⟩(hf1 (sK,IDx ),PWDx , y3 ∶ ⟨A1 ⟩L1 by the
as the following idealized form
application of seeing rule.
M e s s a ge 1 : IDx , Rx , L3 ∶ ⟨L1 ⟩(L0 , PWDx , Ppub ), L4 ∶
As per A5, S6, and by the application of message meaning
⟨L1 ⟩PWDx
rule we derive:
Message 2: A3 ∶ ⟨A1 ⟩(hf1 (sK,IDx ),PWDx , y3 ∶ ⟨A1 ⟩L1
S7 ∶ Ux | ≡ RS| ∼ A1
7.1.2 Assumptions about preliminary state of the proposed
eUASBP are listed below for analysis: As per A4 and S7, by applying nonce-verification rule and
freshness-conjuncatenation rule , we derive:
A1 ∶ Ux | ≡#(L1 )
A2 ∶ RS| ≡#(L1 ) S8 ∶ Ux | ≡ RS| ≡ A1 , where A1 is a parameter for the ses-
A3 ∶ RS| ≡#(A1 ) sion key.
A4 ∶ Ux | ≡#(A1 )
L1 ,A1
As per A4 and S8, and by the application of session key rule,
A5 ∶ Ux | ≡Ux | ≡ −
↽−−−−
⇀−RS we derive:
L1 ,A1 sK
A6 ∶ RS| ≡Ux | ≡ −
↽−−−−
⇀−RS S9 ∶ Ux | ≡ Ux ↔RS ..................(Goal 1)

13

As per A3, and S9 and by the application of nonce-verification
rule, we derive
sK
S10 ∶ Ux | ≡ RS| ≡ Ux ↔RS ................ (Goal 2)
By the above derivations, we reached all the goals as per BAN
logic that ensured proposed eUASBP is secure enough. Secu-
rity is ensured by the means of session key agreement between
user/client X and RS and mutual authentication.
7.2 Informal security analysis of eUASBP
As per the assumptions pointed out in Sect. 5, eUASBP is
secure enough to protect the communication process against
the following attacks, off-line password guessing attack, privi-
leged insider attack, theft attack, server masquerading attack,
user impersonation attack, smartcard stolen attack, session key
discloser attack etc. Security analysis is done by describing the
above mentioned attacks against eUASBP.
7.2.1 Off‑line password guessing attack
An adversary can try this attack by fetching the stored
parameters of stolen smart card or by fetching the messages
from the common communication channel. These two sce-
narios are being illustrated below. (a) By fetching the secret
values ⟨Rx , REGIDx , hf1 (.), y⟩ stored in the card memory,
adversary tries to get the password by manipulating Rx or
REGIDx . If adversary tries password attack through Rx , he/
she must know sK-secret key of the unknown server that is
128 bits long. Else if the adversary tries an attack through
REGIDx , he/she need to solve Discrete Logarithm Problem
that is not solvable in polynomial time. (b) By trapping the
communication channel, adversary fetches the following
messages communicated between the user/client X and RS,
⟨IDx , Rx , L3 , L4 , Tx ⟩ , ⟨A3 , y3 , Ts ⟩ . Adversary must know sK
of the unknown remote server and a random cardinal y3
in order to guess the right password that is intractable in
polynomial time.By the above discussions strong security of
eUASBP against offline password guessing attack is ensured.
7.2.2 Privileged insider attack
During the user’s registration phase and login phase, PWx
is not communicated to the RS in a direct form instead as
PWDx = hf1 (PWx,y ) and in other manipulated forms. Privi-
leged insider cannot derive PWx from PWDx because of the
inversion property of cryptographic one-way hash function.
So eUASBP’s security protection against privileged insider
attack is assured.
13
S. Rajaram et al.
7.2.3 User impersonation attack
To mimic as an actual user/client X, adversary must make a
forged login message that is acceptable by the RS. But adver-
sary cannot make a valid login message ⟨IDx , Rx , L3 , L4 , Tx ⟩ .
Because without knowing the password PWx of the user/
client X, a random cardinal y1, and a secret key of the
server sK, it is impossible to build a valid login message.
As described in the Sect. 7.2.1, it is not possible to derive a
password PWx through the private values stored in the card
memory ⟨Rx , REGIDx , hf1 (.), y⟩ or by fetching the actual login
message from the public channel. So user impersonation
attack is not possible with eUASBP.
7.2.4 Theft attack
To perform theft attack adversary must compute valid reg-
istration parameters. As mentioned in the earlier cases it is
not possible to compute the registration parameters Rx or
REGIDx . So eUASBP is protected against theft attack.
7.2.5 Server masquerading attack
To act as an actual remote server, adversary must make a
forged reply message for the user/client X’s login request
message.It is difficult to make ⟨A3 , y3 ⟩ reply message without
knowing PWx , secret key sK and y2 . But it is not possible to
derive the mentioned values as stated in the prior attacks.
So server masquerading attack is not possible with eUASBP.
7.2.6 Smartcard stolen attack
Purposefully stolen card or through a missed card, adversary
can extract the private values stored in the card memory.
Adversary can retrieve the ith instance of the login mes-
sage. But he/she cannot make a valid login message without
knowing PWx , secret key sK, random cardinals y2 , and y3 .
As stated in the prior attacks it is not possible to derive the
above mentioned values. So smartcard stolen attack becomes
impossible with eUASBP.
7.2.7 Session key discloser attack
Session key’s security level is determined, by the support of
hardness of the cryptographic hash function and the secret
parameters ⟨sK, PWDx , y1 , y2 ⟨ . Deriving the secret param-
eters is very difficult as mentioned earlier in the prior attacks
discussed. So, Session key discloser attack becomes not pos-
sible with eUASBP.
eUASBP: enhanced user authentication scheme based on bilinear pairing

8 Performance comparison of eUASBP

A1: Resist user impersonation attack, A2: Resist off-line password guessing attack, A3: Resist insider attack, A4: Resist smartcard stolen attack, MA: Mutual authentication, SK: Session key
7Th + 1Te + 3Tm + 1Tbp + 2Tpm
with other existing schemes

Proposed eUASBP Several performance measuring attributes of eUASBP are

evaluated and compared with the other known authentica-
3Th + 1Tm + 2Tpm tion schemes Das et al. scheme (2006), Fang and Huang’s
scheme (2006), Giri and Srivastava’s scheme (2006), Jia
et al.’s scheme (2006), Bayat et al. scheme (2010), Awasthi’s
scheme (2012). Authentication and Login phases of the
√
√
√
√
√
√
√
authentication schemes have been compared, since these
5Th + 2Tbp + 4Tpm + 1Tm

phases are vital in an authentication scheme. Registration

and initialization phases have not been taken for compari-
Bayat et al. (2010)

son. Since, they are executed only once and negligible. Time
period needed to perform cryptographic operations in an
3Th + 2Tpm

authentication scheme are represented as below in the com-

parison Table 3. The notations used for time period calcula-
tion of cryptographic operations are,
√
√
√
√
√
X
X

1. Tbp : Bilinear pairing operation

2Tbp + 2Tpm + 1Th
Jia et al. (2006)

2. Te : Exponentiation operation

agreement, EPD: Early wrong password detection,  : Can be mounted or satisfied, X: Cannot be mounted or not satisfied

3. Th : Hash operation

4Tpm + 1Th

4. Tm : Multiplication operation

5. Tpm : Scalar point multiplication operation
X
X
X
X
X
X
X

6. TEP  : Public key encryption operation

Table 2  Comparison of computational cost and attacks possibility of proposed eUASBP with related schemes

pub

7. TEs : Public key decryption operation

2Tbp + 1Tpm + 1TEs
Awasthi’s (2012)

pub

Nor mally time complexity is ordered as

3Tpm + 1TEP

Tbp > Te > Th > Tm > Tpm based on the time required to per-
form the corresponding operations (Potlapally et al. 2006;
X
X
X
X
X
X
X

He et al. 2011). Proposed eUASBP uses less number of

bilinear operations when compared with the other schemes
2Tbp + 1Tpm + 1TEs

taken for the comparion. Since eUASBP uses less number

Giri et al. (2006)

of bilinear operations and based on the several other reasons

pub
3Tpm + 1TEP

eUASBP performs better and responds soon.

X
X
X
X
X
X
X

Table 3  Communication and Storage cost of authentication schemes

pub

with eUASBP 
1Tpm + 1Th + 1TEP
Fang and Huang

Cost ( →) Storage (in bits) Communication (in bits)

2Tbp + 1TEs

Schemes (↓) Smartcard Login phase Server

(2006)

Verification
Phase
√
X
X
X
X
X
X

Das et al. (2006) 576 704 –

Das et al. (2006)

Fang and Huang 832 1344 –

(2006)
2Tbp + 1Tpm
2Tpm + 1Th

Giri and Srivastava 1088 1472 –

(2006)
Jia et al. (Jia et al. 1088 704 –
X
X
X
X
X
X
X

2006)
Awasthi (2012) 832 1472 –
Verification
Schemes

Bayat et al. (2010) 1344 768 1472

Login

EPD

Proposed eUASBP 1152 704 512

MA
SK
A1
A2
A3
A4

13
 S. Rajaram et al.

Fig. 5  Smart card storage costs comparisons

Fig. 6  Communications costs comparisons

13
eUASBP: enhanced user authentication scheme based on bilinear pairing
As per the Table 2, only Bayat’s scheme protects against
user impersonation attack, offline-password guessing-attack,
privileged insider attack and smartcard stolen attack like
eUASBP. eUASBP provides better security, strong protec-
tion, and less time as mentioned in the Table 2. We can
assume that the size of IDx and PWx are 64 bits each. Hash
function hf1 ∶ {0, 1}∗ → Z∗q and random nonce return 128
bits each. Hash function hf1 ∶ {0, 1}∗ → Gr1 returns 256 bits.
Communication cost depends on the messages communi-
cated between the end entities. As per eUASBP, 2 messages
are communicated amidst the user/client X and remote server
RS during the smart card authentication, one message in
login phase and the other in authentication phase.
In t he login phase, login request message
⟨IDx , Rx , L3 , L4 , Tx ⟩ is sent to RS from user/client X. Size
of the login request message is 704 bits = (64 + 128 +
256 + 128 + 128). In the authentication phase, reply mes-
sage ⟨A3 , y3 , Ts ⟩ is being sent to user/client X from RS.
Size of the reply message is 512 bits = (256 + 128 +
128). So totally 1216 bits = (704 + 512) are being used
for communication that is low when compared among the
other existing authentication schemes. Storage cost of the
authentication scheme depends on the values stored into
the smartcard. In eUASBP the values stored into the smart-
card are ⟨Rx , REGIDx , hf1 (.), RP,Ppub , y⟩ . So the storage cost
is 1152 bits = (128 + 256 + 128 + 128 + 256 + 256).
Storage and communication cost of other authentication
schemes are listed in Table 3. Further, we have given a
comparison graph for smart card storage cost and com-
munication cost in Figs. 5 and 6 respectively.
Several other advantages of proposed eUASBP
1. Mutual authentication: Mutual Authentication of
eUASBP is ensured because adversary cannot extract
the secret values remote server’s secret key sK, pass-
word PWx,So he/she cannot make a valid login request
message ⟨IDx , Rx , L3 , L4 , Tx ⟩ as illustrated in Sect. 7.2.3,
and a valid reply message ⟨A3 , y3 , Ts ⟩ as illustrated in
Sect. 7.2.5.
2. Efficient password change phase: User/client X is
allowed to choose a new password PWx comfortably but
it is not possible without knowing the existing password.
Extracting the existing password illegally is not possible
as discussed earlier in the attacks.
3. Early wrong password detection: In eUASBP, user
entered password is checked by the smart card itself
before sending it to the RS. So quick reply for the user/
client X about the wrongly entered password and remote
server RS’s execution time is preserved for efficient uti-
lization. Obviously it reduces the communication over-
head too.
4. Session key agreement: In eUASBP session key is cal-
culated by user/client and remote server. This security
feature is not available with most of the other authentica-
tion schemes.
9 Conclusion
This paper proposes authentication protocol by utilizing
bilinear pairing using smartcard and low-entropy password.
Proposed eUASBP overcomes the limitations of Awasthi’s
scheme and performs better than other related authentica-
tion schemes. eUASBP provides severe protection against
many attacks in addition to mutual authentication and ses-
sion key agreement. eUASBP detects the wrong password
entry by the user/client in the early stage of processing in
the client-end itself without disturbing the remote server RS.
Thereby reduces the utilization of server uselessly. In turn
eUASBP reduces time and space complexities in order to
provide better performance for the end user. Future plans to
enhance this eUASBP are, a) to add biometric based protec-
tion in addition to password protection b) to reduce the time
and space complexities without sacrificing security features.
Adding biometric based protection may lead to extra compu-
tation cost but surely increases the security level. Depends
on the biometric measure corresponding hardware compo-
nent is required by the security system to support the same.
It’s a challenge to reduce time and space complexities by
adding a extra security feature.
References
Abadi M, Tuttle MR (1990) A logic of authentication. ACM Trans
Compute Syst 8:18–36
Amin R, Biswas G (2015a) An improved RSA based user authentica-
tion and session key agreement protocol usable in TMIS. J Med
Syst 39(8):79
Amin R, Biswas G (2015b) A secure three-factor user authentication
and key agreement protocol for TMIS with user anonymity. J Med
Syst 39(8):78
Awasthi AK (2012) An improved remote user authentication scheme
with smart cards using bilinear pairings. Int J Appl Math Comput
4(4):382–389
Bayat M, Sabzinejad M, Movahed A (2010) A novel secure bilinear
pairing based remote user authentication scheme with smart card.
In: 2010 IEEE/IFIP 8th international conference on embedded and
ubiquitous computing (EUC). IEEE, pp 578–582
Bond M, Choudary MO, Murdoch SJ, Skorobogatov S, Anderson R
(2015) Be prepared: the emv preplay attack. IEEE Secur Priv
13(2):56–64
Burrows M, Abadi M, Needham RM (1989) A logic of authentica-
tion. Proc R Soc Lond A 426(1871):233–271
Chou JS, Chen Y, Lin JY (2005) Improvement of Manik et al.’s
remote user authentication scheme. IACR Cryptol ePrint Arch
2005:450
Das ML, Saxena A, Gulati VP (2004) A dynamic id-based remote
user authentication scheme. IEEE Trans Consum Electron
50(2):629–631
13

Das ML, Saxena A, Gulati VP, Phatak DB (2006) A novel remote
user authentication scheme using bilinear pairings. Comput Secur
25(3):184–189
Fang G, Huang G (2006) Improvement of recently proposed remote
user authentication schemes. IACR Cryptol ePrint Arch 2006:200
Giri D, Srivastava P (2006) An improved remote user authentication
scheme with smart cards using bilinear pairings. IACR Cryptol
ePrint Arch 2006:274
Goriparthi T, Das ML, Negi A, Saxena A (2006) Cryptanalysis of
recently proposed remote user authentication schemes. IACR
Cryptol ePrint Arch 2006:28
Goriparthi T, Das ML, Saxena A (2009) An improved bilinear pairing
based remote user authentication scheme. Comput Stand Inter-
faces 31(1):181–185
He D, Chen J, Zhang R (2011) An efficient identity-based blind sig-
nature scheme without bilinear pairings. Comput Electr Eng
37(4):444–450
Jia Z, Zhang Y, Shao H, Lin Y, Wang J (2006) A remote user authenti-
cation scheme using bilinear pairings and ECC. In: Sixth interna-
tional conference on intelligent systems design and applications,
2006. ISDA’06, vol 2. IEEE, pp 1091–1094
Katz J, Menezes AJ, Van Oorschot PC, Vanstone SA (1996) Handbook
of applied cryptography. CRC Press, Boca Raton, pp 41–42
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Annual
international cryptology conference. Springer, pp 388–397
Li X, Niu J, Bhuiyan MZA, Wu F, Karuppiah M, Kumari S (2018a) A
robust ECC-based provable secure authentication protocol with
privacy preserving for industrial internet of things. IEEE Trans
Ind Inform 14(8):3599–3609
Li X, Peng J, Niu J, Wu F, Liao J, Choo KKR (2018b) A robust and
energy efficient authentication protocol for industrial internet of
things. IEEE Internet Things J 5(3):1606–1615
Li X, Peng J, Obaidat MS, Wu F, Khan MK, Chen C (2019) A secure
three-factor user authentication protocol with forward secrecy for
wireless medical sensor network systems. IEEE Syst J. https:​ //doi.
org/10.1109/JSYST​.2019.28995​80
Maletsky K (2015) RSA vs ECC comparison for embedded systems.
White paper. Atmel, San Jose, p 5
13
S. Rajaram et al.
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card
security under the threat of power analysis attacks. IEEE Trans
Comput 51(5):541–552
Nicanfar H, Jokar P, Beznosov K, Leung VC (2014) Efficient authen-
tication and key management mechanisms for smart grid com-
munications. IEEE Syst J 8(2):629–640
Potlapally NR, Ravi S, Raghunathan A, Jha NK (2006) A study of the
energy consumption characteristics of cryptographic algorithms
and security protocols. IEEE Trans Mobile Comput 5(2):128–143
Saxena N, Choi BJ (2016) Authentication scheme for flexible charging
and discharging of mobile vehicles in the v2g networks. IEEE
Trans Inf Forensics Secur 11(7):1438–1452
Stallings W (2006) Cryptography and Network Security, 4/E. Pearson
Education India, Chennai, pp 1–700
Summers WC, Bosworth E (2004) Password policy: the good, the bad,
and the ugly. In: Proceedings of the winter international synpo-
sium on information and communication technologies. Trinity
College Dublin, pp 1–6
Sun HM, Leu MC (2009) An efficient authentication scheme for
access control in mobile pay-tv systems. IEEE Trans Multimed
11(5):947–959
Tsai JL, Lo NW (2015) A privacy-aware authentication scheme
for distributed mobile cloud computing services. IEEE Syst J
9(3):805–815
Tsai JL, Wu TC, Tsai KY (2010) New dynamic id authentication
scheme using smart cards. Int J Commun Syst 23(12):1449–1462
Tseng YM, Wu TY, Wu JD (2008) A pairing-based user authentica-
tion scheme for wireless clients with smart cards. Informatica
19(2):285–302
Ur B, Segreti SM, Bauer L, Christin N, Cranor LF, Komanduri S,
Kurilova D, Mazurek ML, Melicher W, Shay R (2015) Measuring
real-world accuracies and biases in modeling password guessabil-
ity. In: USENIX security symposium, pp 463–481
Publisher’s Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.