Security Analysis and Improvement of ‘a More Secure Anonymous User Authentication Scheme for the Integrated EPR Information System’

Over the past few years, secure and privacy-preserving user authentication scheme has become an integral part of the applications of the healthcare systems. Recently, Wen has designed an improved user authentication system over the Lee et al.’s scheme for integrated electronic patient record (EPR) information system, which has been analyzed in this study. We have found that Wen’s scheme still has the following inefficiencies: (1) the correctness of identity and password are not verified during the login and password change phases; (2) it is vulnerable to impersonation attack and privileged-insider attack; (3) it is designed without the revocation of lost/stolen smart card; (4) the explicit key confirmation and the no key control properties are absent, and (5) user cannot update his/her password without the help of server and secure channel. Then we aimed to propose an enhanced two-factor user authentication system based on the intractable assumption of the quadratic residue problem (QRP) in the multiplicative group. Our scheme bears more securities and functionalities than other schemes found in the literature.


Introduction
Due to the rapid progress of the communication technologies and information security, anonymous and secure remote user mutual authentication schemes are widely employed in the integrated electronic patient record (EPR) information system [1][2][3][4][5][6][7][8]. The online services provided by the EPR information system not only save patient's valuable time, but also helps doctor to take correct and quick clinical decision based on the digital information available on the remote location server of EPR information system [9][10][11]. In addition, with this online facility, the patient residing at home can access his/her confidential health report [12][13][14][15] stored on the EPR server through the internet. On the other hand, the doctor can access and analyze patient's data and can also inform the patients in a timely manner. Accordingly, to provide such type of facilities to the patients and the doctors, many healthcare systems are now being replaced the traditional paper-based system with digital service over wireless networks [16][17][18][19][20][21]. However, the privacy and confidentiality of patient health data must be maintained when these are accessed from the server over the internet [22][23][24]. Since the internet is ubiquitous in nature and thus the malicious adversaries may try to collect the confidential data of the patients. Thus, a robust and flexible authentication scheme usable in integrated EPR information system is required to access patient's data over any insecure channel [25][26][27][28][29].

Related Works
In order to maintain the security and privacy of the integrated EPR information system, many smart card based (two-factor) user authentication systems have been presented recently [2,3,[30][31][32][33][34]. However, it has been analyzed from the security community that the previous schemes are no longer provide required security and functional requirements of a robust user authentication system [12,13,17,25,28,29]. In 2012, Wu et al. [32] devised a new user authentication scheme for the integrated EPR information system with password and smart card. Then they argued that their scheme [32] resists all the vulnerabilities and includes all the functionalities. However, Lee et al. [2] demonstrated that Wu et al.'s scheme [32] is incapable to resist the stolen verifier attack and the lost smart card attack. Then an improved scheme was proposed by them and claimed that the scheme [2] is strong enough to remove the known vulnerabilities. Recently, Wen [3] has adopted the intractability assumption of the quadratic residue problem (QRP) [35,36] and designed an enhanced scheme over the scheme proposed by Lee et al. [2].

Motivation and Contribution
The Wen's scheme [3] is analyzed to be secure and efficient than other schemes [2,35], however, this paper identifies many inefficiencies on Wen's scheme [3]. This paper carefully analyzed that Wen's scheme [3] is suffering from the following problems: (1) it can not check user identity and password in the login and password change phases; (2) it is weak against the impersonation attack and privileged-insider attacks; (3) it has no facility to revoke the lost/stolen smart card; (4) the explicit key confirmation and the no key control properties of the session key are absent, and (5) it does not update user password without any secure channel and the remote server's assistance. In this study, the authors have considered all the security and functionality features, and consequently presented a new user authentication scheme, which is suitable for the application of integrated EPR information system. The performance studies have proved that the proposed design has eliminated the pitfalls of Wen's scheme [3]. Our user authentication would be more applicable for healthcare applications, such as the integrated EPR information system.

Organization of the Paper
We organized the rest parts of this paper as follows. The quadratic residue problem required to understand the rest of this paper is explained in Section 2. We explained the Wen's authentication scheme in Section 3. The weaknesses of Wen's scheme are presented in Section 4. The improved scheme is proposed in Section 5, and its security and functionality discussions are proposed in Section 6. The Section 7 provides a comparative analysis and the Section 8 concludes the paper.

Quadratic Residue Problem
In this section, we briefly introduce the quadratic residue problem (QRP) [36]. Suppose that the composite number n is the product of two large prime numbers p and q. We can say that b is a quadratic residue modulus n, if the equation b a 2 mod n is solvable in the multiplicative group Z Ã n . The set of quadratic residue modulo n is defined as QR n ¼ fb : 9 a 2 Z Ã n such that b a 2 mod ng ð1Þ In cryptography, many schemes/protocols [3,35] are designed under the intractability assumption of the QRP. The hardness assumption of QRP is equivalent to the factoring the large modulus n. That is for given b 2 QR n , it is infeasible for a polynomial time bounded algorithm to find a without factoring the public modulus n.

Description of the Wen's User Authentication Scheme
Here, we present Wen's two-factor user authentication scheme [3]. Initially, the remote medical server S selects two large prime numbers p, q and calculates the modulus as n = pq. Now, S made public n, whereas p and q are kept secret. The list of notations needed to understand the later part of the paper are described in Table 1.
The following phases are used to described Wen's authentication scheme.

Registration Phase
In this phase, the patient U i performs the registration through secure channel to the integrated EPR information server S in order to obtain a valid smart card. We explained this phase by the following steps: Step 1. U i sends a registration request with his/her hID i , PW i i to S over a secure channel.
Step 2. S verifies the correctness of ID i and computes v = H(KÈID i ).
Step 4. S initiates a counter c i = 0 against U i and insert a tuple hID i , c i i in the database. Then S issues a new smart card against U i that includes the information hH(Á), N, s 1 , c i i.

SK
The session key agreed between U i and S Step 5. S sends the smart card to U i over a secure channel.

Login Phase
For the login purpose, U i performs the following steps: Step 1. U i inserts the smart card into the specific card reader and keys his/her hID i , PW i i. Smart card then selects a number r and computes s 2 = H(H(PW i jjs 1 )).
Step 2. Smart card computes c i = c i + 1 and M 1 = (ID i jjNjjs 2 jjrjjc i ) 2 mod n. Now, U i sends M 1 as a login message to S over a public network.

Authentication Phase
In this phase, the user (patient) U i and the server S perform mutual authentication and then agreed on common secret session key. The description of this phase is given with the following steps: Step 1. When S received M 1 , then extracts (ID i jjNjjs 2 jjrjjc i ) from M 1 based on Chinese Remainder Theorem (CRT) using the secret primes p and q. Now, S takes the tuple hID i , c 0 i i from his/ her own database and verifies whether c 0 i > c i holds. If c 0 i > c i is incorrect, then S aborts the session. Otherwise, S updates the tuple hID i , c 0 i i to hID i , c i i and continues to the next steps.
Step 2. S computes v = H(KÈID i ), s 0 2 ¼ N È v and verifies it with s 2 . If s 0 2 ¼ s 2 , S then accepts U i as an legitimate user. S computes the session key SK = H(s 2 jjrjj1).
Step 3. S also performs the calculation of the response message as M 2 = H(s 2 jjrjj0) and then sends it to U i over a public network.
Step 4. When U i received M 2 , then computes M 0 2 = H(s 2 jjrjj0) and checks whether M 0 2 = M 2 is correct or not. If M 0 2 6 ¼ M 2 , U i aborts the session. Otherwise, U i authenticates S and computes the session key SK = H(s 2 jjrjj1).
The complete description of login phase and authentication phase of Wen's scheme [3] is further presented in Table 2.

Password Change Phase
This phase is executed by U i and in the cooperation of S. By this phase, U i is allowed to update his/her old password to a new password with the following operations: Step 1. U i delivers his/her hID i , PW i , PW new i to S using a secure channel.
S then securely sends hs Ã 1 , N Ã i to U i . On receiving hs Ã 1 , N Ã i from S, U i updates the old smart card's memory as hID i , H(Á), N Ã , s Ã 1 i. Note: In the password change phase of Wen's scheme [3], the counter c i is not incorporated in the smart card and we consider it as typo. Here we assumed that S sends the tuple hs Ã 1 , N Ã i to U i and then U i updates the old smart card's memory to hH(Á), N Ã , s Ã 1 , c i i.

Security Pitfalls of Wen's Authentication Scheme
This section is presented to identify and analyze the security and design issues of Wen's authentication scheme [3]. The following problems have been observed and their detailed descriptions are given below:

Login Phase is Inefficient and Unfriendly
We claimed that the design of login phase of Wen's authentication scheme is inefficient and unfriendly. In this phase, U i keys his/her hID i , PW i i into the smart card and then the smart card computes the login message M 1 without verifying the correctness of the entered login identity ID i and the password PW i . If U i incorrectly enters the login identity and the password by mistake, then the smart card computes the incorrect login message M 1 and then transfer it to S. On receiving M 1 , S checks it and accordingly informs U i . Therefore, the correctness of hID i , PW i i will be checked by S not by the smart card. However, this kind of design puts unnecessary burden on S. In the literature, efficient smart card based authentication schemes are proposed [28,29,37] where instead of S, the smart card is responsible for checking the correctness of hID i , PW i i before computing the login message M 1 . The complete description of the problem we pointed out in Wen's scheme [3] is explained as follows: Case 1: Here we will show how the login and authentication phases will faced problem if U i mistakenly insert the incorrect login identity ID Ã i instead of the correct identity ID i .
ðvia a public channelÞ Smartcard: Step 1. U i enters hID Ã i , PW i i into the smart card and then the smart card selects a random number r and calculates s 2 = H(H(PW i jjs 1 ), c i = c i + 1 and M 1 = ðID Ã i jj N jj s 2 jj r jj c i Þ 2 mod n. The smart card then sends M 1 to S over a public channel.
Step 2. In the authentication phase, S extracts ðID Ã i jj N jj s 2 jj r jj c i Þ from M 1 based on the Chinese Remainder Theorem (CRT) using the secret primes p and q. Now, S observed that ID Ã i is incorrect by comparing it with the tuples hID i , c 0 i i stored in the database and accordingly he/she aborts the session.
Case 2: Now we show that the login and authentication phases of Wen's scheme [3] will suffer from the problem as described below if U i mistakenly insert the incorrect password PW Ã i instead of the correct password PW i .
Step 1. U i enters hID i , PW Ã i i into the smart card and then the smart card selects a random number r and calculates s Ã The smart card then sends M 1 to S over a public network.
Step 2. In the authentication phase, S extracts ðID i jj N jj s Ã 2 jj r jj c i Þ from M 1 based on the Chinese Remainder Theorem (CRT) using the secret primes p and q. In this case, S found that ID i and the condition c 0 i > c i are correct and thus performs additional verifications. Then S computes v = H(KÈID i ) and Although, U i is a legal user, however, S rejects him/her since the verification equation s 0 2 = s Ã 2 is not satisfied.
From the above discussions, we can assured that an efficient and robust authentication scheme must verifies the login identity and password before proceed to the authentication phase.

Password Change Phase is Inefficient and Unfriendly
The password change phase of Wen's scheme [3] is also inefficient and unfriendly [28,29,37]. In this phase, However, the following inefficiencies have been observed in Wen's scheme: Case 1: The user U i must used a secure channel to deliver hID i , PW i , PW new i to S and S also used the secure channel to send hs Ã 1 , N Ã i to U i . However, each and every password change, Wen's scheme [3] needs two secure communication channels and it is costly and difficult to achieve in real environments. As a result, U i will not be interested to change his/her password periodically. However, due to the security reasons, it is recommended to change the password periodically.
Case 2: For the password change operation of smart card based authentication scheme, it is recommended that the smart card itself change the password without any connection with the remote server S [37].
Case 3: During the password change, the correctness of the entered old identity and password hID i , PW i i must be verified before changing the old password PW i to a new password PW new .
However, all of the aforesaid conditions are not incorporated in the password change phase of the Wen's authentication scheme [3].

Impersonation Attack
In Wen's scheme, the old password PW i has no role in the password change operation. Therefore, if the adversary chooses two random passwords PW 0 i and PW 00 i , and issues a password change request on behalf of U i to S by sending hID i , PW 0 i , PW 00 i i. Upon receiving the password change request, S computes v = H(KjjID i ), s 00 1 = HðPW 00 i jj KÞ, s 00 2 ¼ HðHðPW 00 i jj s 00 1 ÞÞ and N 00 ¼ v È s 00 2 , and sends hs 00 1 , N 00 i to the adversary. Upon receiving hs 00 1 , N 00 i, the adversary chooses a sufficiently large value c 00 i as the counter and then stores the tuple hID i , H(Á), N 00 , s 00 1 , c 00 i i into a smart card. It can be noted that, the adversary can successfully impersonate U i by using this smart card and hID i , PW 00 i i.

Privileged-Insider Attack
It is difficult for a user to remember a number of passwords, if he/she registers himself/herself to different applications or servers with different passwords [37,38]. Therefore, it is common in real-life environments that a user accesses a number of servers with the common password and identity. However, if the password of the user is known by some means to the privilegedinsider of a server, then of course he may try to impersonate the user to access other application servers. We can define the insider attacker is any manager of the authentication server, whose intention is to leak the secret information leading to compromise the system. In the registration phase of Wen's authentication scheme [3], U i transmitted hID i , PW i i in plaintext form to S, then the malicious privileged-insider of S may impersonate U i by login to other application servers using the known hID i , PW i i. Therefore, Wen's authentication scheme is not secure against privileged-insider attack.

Absence of Lost/Stolen Smart Card Revocation Phase
In a smart card based authentication scheme, the revocation of lost/stolen smart card plays a vital role in order to provide the adequate security to the end user [39]. However, Wen's scheme [3] has not offered such an important security features. In the design of two-factor user authentication system, most of the researchers offers a realistic assumption that the smart card is non-temper resistance. It includes that if an adversary obtains a smart card, then he/she can perform some off-line analysis by monitoring the timing information, power consumption and reverse engineering techniques as presented in [40][41][42] and can obtain the information from the lost smart card. Now the adversary may apply some off-line procedure on the extracted information and may get success to find the correct password of the user. If the adversary found the correct password, then he/she can masquerade the corresponding legal user by using the guessed password and the lost smart card [37][38][39]. Thus, the cryptographic research community suggested that the lost/stolen smart card revocation phase must be incorporated in two-factor user authentication scheme so that the remote server can distinguish the lost smart card and the new smart card.

Absence of Explicit Session Key Confirmation Property
According to the analysis provided in [43], an authenticated key agreement (AKA) scheme must have the explicit session key confirmation (implicit key authentication and key confirmation) property. The implicit key conformation property includes that the user X is assured that Y can compute the session key. However, the explicit key confirmation property states that the user X is assured that the user Y has actually computed the session key. Therefore, only the explicit key confirmation property provides the stronger assurances that X and Y hold the same session key. A key agreement scheme that includes explicit key authentication is termed as authenticated key agreement with key confirmation (AKC) scheme. In the authentication phase of Wen's scheme [3], S computes M 2 = H(s 2 jjrjj0) and sends it to U i . On receiving M 2 , U i computes M 0 2 = H(s 2 jjrjj0) and authenticates S if the verification M 0 2 = M 2 is correct. After this verification, U i computes the session key as SK = H(s 2 jjrjj1). As the authentication message M 2 does not include the session key information, therefore, the explicit session key confirmation property is not achieved in Wen's authentication scheme.

Absence of No Key Control Property
The no key control property of an AKA scheme means that none of the users have control over others [38,43,44]. That is none of the users or even an adversary can force other so that the session key to be a pre-selected value or it may lie within a set consisting of small number of elements. Thus, we can say that an AKA scheme has the no key control property if the session key is computed with the contributions of all the participants. In Wen's scheme [3], we observed that the final session key agreed between U i and S is SK = H(s 2 jjrjj1), where U i chooses the random number r. Now it is clear that S has no contribution on the session key. Therefore, the no key control property is absent in Wen's authentication scheme.

The Proposed User Authentication Scheme
In the following, an improved user authentication scheme is presented that not only eliminates the inefficiencies of Wen's authentication scheme [3], but also includes additional security and functional properties of a two-factor authentication scheme. Similar to the Wen's scheme, the security of our user authentication scheme is based on the intractable assumption of the quadratic residue problem (QRP) in the multiplicative group Z Ã n [3,35,36]. Initially, the remote server S of the integrated EPR information system selects two large prime numbers p, q. S discloses the public modulus n, whereas p and q are kept secret from the outsiders. S also selects K 2 R Z Ã n as his/her secret (private) key. Our enhanced scheme includes the following phases, called registration phase, login phase, authentication phase, password change phase and lost/stolen smart card revocation phase. The complete explanation of these phases are given below.

Registration Phase
In this phase, a legal user U i registerers himself/herself to the remote server S and obtains a valid medical smart card from S. The following steps are executed by U i and S: Step 1. U i issues a registration request with his/her identity ID i to S over a secure channel.
Step 2. On receiving ID i , S checks whether ID i is fresh or not. If it is found in the S's database, then S informs U i to supply a fresh login identity. Otherwise, S selects a number b i 2 R Z Ã n and then computes A i = H(ID i jjKjjb i ). After that, S initiates a counter c i = 0 [3] and selects a new smart card that includes the information hH(Á), n, A i , c i i. Then S securely delivers the smart card to the user U i . S includes the tuple hID i , c i , b i i into the database [45].
Step 3. On receiving the smart card, U i inserts the smart card into the card reader and keys his/ her login identity ID i and the password PW i into the smart card. Then the smart card computes B i = H(ID i jjPW i ), C i = A i ÈB i and D i = H(A i jjB i ). Now the smart card deletes the information hA i , B i i from the memory and then updates it by the tuple hH(Á), n, C i , D i , c i i.

Login Phase
In this phase, U i computes a login message and sends it to S for verification. The login phase includes the following steps: Step 1. U i inserts the smart card into the specific card reader and keys his/her hID i , PW i i into the smart card. The smart card computes B i = H(ID i jjPW i ), A i = C i ÈB i and D 0 i = H(A i jjB i ). The smart card aborts the login process if D 0 i 6 ¼ D i holds. Otherwise, the smart card executes the following steps.
Step 2. The smart card computes c i = c i + 1 and the login message M 1 = (ID i jjA i jjajjc i ) 2 mod n, where the number a 2 R Z Ã n is chosen by the smart card. Then the smart card sends M 1 to S over a public network.

Authentication Phase
Step 1. Upon receiving M 1 , S then obtains (ID i jjA i jjajjc i ) from M 1 using the Chinese Remainder Theorem (CRT) with p and q. Now, S retrieves the tuple hID i , c 0 i , b i i, which is indexed by ID i , from the database and compares whether c 0 i > c i holds. If it is incorrect, S terminates the session. Otherwise, S updates the tuple hID i , c 0 i , b i i to hID i , c i , b i i and continues to the next step.
Step 2. Now, S computes A 0 i = H(ID i jjKjjb i ) and verifies whether A 0 i ¼ A i holds. If it is incorrect, S terminates the session, otherwise accepts the login message M 1 and authenticates U i .
Step 3. S selects a number b 2 R Z Ã n and computes d = aÈb, the session key SK = H(ID i jjajjbjjA i ) shared with U i and M 2 = H(ID i jjA i jjdjjSK). Then S delivers the message {d, M 2 } to U i over a public network.
Step 4. On receiving {d, M 2 }, U i computes b = dÈa, the session key SK = H(ID i jjajjbjjA i ) and M 0 2 = H(ID i jjA i jjdjjSK). If M 0 2 6 ¼ M 2 , U i terminates the session. Otherwise, U i authenticates S and accepts SK as the correct session key shared with S.

Password Change Phase
In the password change phase, the smart card is allowed to independently (i.e., without any assistance of S) change U i 's old password PW i to the new password PW n i . We described the password change phase with the following steps: Step 1. U i inserts the smart card into the specific device and then keys his/her hID i , PW i i into the smart card. The smart card then computes B i = H(ID i jjPW i ), A i = C i ÈB i and D 0 i = H (A i jjB i ). The smart card aborts the password change if D 0 i 6 ¼ D i holds. Otherwise, the smart card executes the next step.
Step 2. The smart card computes B n i = HðID i jj PW n i Þ, C n i = A i È B n i and D n i = HðA i jj B n i Þ. Now, the smart card updates the tuple hH(Á), n, C i , D i , c i i to tuple hH(Á), n, C n i , D n i , c i i into the memory.

Stolen/Lost Smart Card Revocation Phase
This phase is designed to issue a new smart card if U i lost his/her old smart card. The description of this phase includes the following steps: Step 1. The user U i sends the smart card revocation request with his/her identity ID i to S over a secure channel.
Step 2. S verifies the correctness of the identity ID i . If it is invalid, S terminates the request. Otherwise, S selects a new number b 0 i 2 R Z Ã n and then computes A 0 i i into his/her database. Now, S writes the information hH(Á), n, A 0 i , c i i into a new smart card and delivers it to U i through a secure channel.
Step 3. On receiving the new smart card, U i inserts it into the card reader and inputs his/her login identity ID i and the new password PW 0 i into the smart card. Then the smart card com- The complete description of the Login and Authentication phases of our user authentication scheme is further presented in Table 3.

Security and Functionality Analysis of the Proposed Scheme
This section is designed to prove the security and functionality strengths of our proposed scheme [46][47][48]. Now, we described the following assumptions about the attack capability of active and passive adversaries: • The adversary A controls the communication channel [49,50] i.e., he/she may intercept, block, inject, remove, or modify, any messages transmitted over the public media, in other words, all the messages communicated between U i and S are transmitted via A.
• A may either (i) theft U i 's smart card and obtain the secret data from it through monitoring the timing information, power consumption and reverse engineering techniques which are proposed in [40][41][42] and try to obtain U i 's correct password in any off-line manner; or (ii) obtain U i 's password directly by some means. However, A cannot do both (i) and (ii) [37,38].
Based on the aforesaid assumptions, the following theorems have been stated and proved against the proposed user authentication scheme. Theorem 1. The proposed user authentication scheme could provide the user anonymity and user unlinkability.
Proof. Users' anonymity or secrecy, i.e., the protection of user's identity from the adversary is a great concern in many internet applications including integrated EPR information system, telecare medical information system (TMIS), online order placement, Pay-TV, wireless communications, banking transactions, etc [51][52][53]. The anonymity means that an adversary A cannot figure out the real identity ID i of U i from the eavesdropped authentication messages M 1 and {d, M 2 }. Suppose that A captures U i 's authentication message M 1 = (ID i jjA i jjajjc i ) 2 mod n for a session. However, A cannot retrieve the identity ID i from M 1 due to the difficulties of quadratic residue problem and from M 2 due to the one-way property of the hash function H(Á). On the other hand, A cannot link that the two authentication messages M 1 = (ID i jjA i jjajjc i ) 2 mod n and M 0 1 = ðID i jj A i jj a 0 jj c 0 i Þ 2 mod n belong to the same user U i and as a result the proposed scheme satisfies user anonymity and unlinkability [38,45,54].
Theorem 2. The proposed user authentication scheme could provide the perfect forward secrecy of the session key.
Proof. The perfect forward secrecy [43,45,55] ensures that a session key derived in a session will remains undisclosed even if the server's secret key is compromised. In the proposed scheme, the session key is computed as SK = H(ID i jjajjbjjA i ), where A i = H(ID i jjKjjb i ) and the random numbers a and b are chosen by U i and S, respectively. Therefore, even if A has the knowledge of secret key K of S, A needs to be extract a and b from M 1 = (ID i jjA i jjajjc i ) 2 mod n ðvia a public channelÞ Improvement of a More Secure Anonymous User Authentication Scheme and {d = aÈb, M 2 = H(ID i jjA i jjdjjSK)} to derive the session key SK, however this is infeasible due to the quadratic residue problem [3,35]. Thus, our scheme provides the functionality of session key perfect forward secrecy. Theorem 3. The proposed user authentication scheme could resist the replay attack.
Proof. In replay attack, the adversary A captured a valid login message of previous session and then fraudulently replayed to current session to impersonate U i or S. Assume that, in our scheme, A captured the previous login message M 1 = (ID i jjA i jjajjc i ) 2 mod n of U i and replays it in the current session. However, S quickly detects that M 1 is a replay message by comparing the counter c i in the message M 1 with the counter c 0 i retrieves from S's database. When U i sends M 1 = (ID i jjA i jjajjc i ) 2 mod n to S, then S verifies it and stores the counter c i to the tuple hID i , c i , b i i. Now, if the same M 1 is replayed by the adversary in future session then the computed counter c i is equal to or less than the retrieved counter c i . The counter c i helps S to detect the replay attack [3]. Thus, the proposed user authentication scheme avoids the replay attack.
Therefore, our authentication scheme protects this kind of modification/forgery attack.
Theorem 5. The proposed user authentication scheme could resist the privileged-insider attack.
Proof. To make the convenient access of different application servers, user generally registers himself/herself by the common login identity and passwords. It is harmful for the user that if the password is compromised to the privileged-insider of a server, then he/she can easily impersonate the user and can login to other applications. In the registration phase of our scheme, U i only sends his/her login identity ID i not any password to S. Upon receiving the smart card from S, U i inserts his/her PW i into the smart card. As a result, PW i is not exposed to the privileged-insider of S. Therefore, our scheme withstands the privileged-insider attack.
Theorem 6. The proposed user authentication scheme could provide the off-line password guessing attack from lost/stolen smart card.
Proof. The off-line password guessing attack is infeasible in our scheme. Assume that A obtains U i 's smart card and extracts the parameters hH(Á), n, C i , D i , c i i, where C i = H (ID i jjKjjb i )ÈH(ID i jjPW i ) and D i = H(H(ID i jjKjjb i )jjH(ID i jjPW i )). Now A may try to guess the correct password PW i of U i in off-line processes. However, without knowing K and b i , A cannot find PW i . Thus, our user authentication scheme strongly resists the off-line password guessing attack from lost/stolen smart card.
Theorem 7. The proposed user authentication scheme could resist the ephemeral secret leakage attack.
Proof. This attacks states that the none of the session keys should be compromised with the disclosures of session random numbers (ephemeral secrets) [56]. The ephemeral secrets may be compromised [37,45] and it is quite common in real environments due to the following reasons: (i) user and server depended on the internal/external source of random number generator which may be controlled by A and (ii) the random numbers are generally stored in insecure device. If the random numbers aren't erased properly in each session, A may hijack users' computer and learn the random numbers. In our scheme, U i and S generate the session key as SK = H(ID i jjajjbjjA i ), where A i = H(ID i jjKjjb i ). Suppose that ha, bi is disclosed and A knows it.
However, A cannot compute SK without A i . Therefore, the ephemeral secret leakage attack is infeasible in the proposed scheme.
Theorem 8. The proposed user authentication scheme could resist the known-key attack.
Proof. This attack states that, none of the session keys are compromised even if the adversary A knows some other session keys [43]. In our scheme, U i and S establish a session key SK = H(ID i jjajjbjjA i ), where A i = H(ID i jjKjjb i ). The numbers a and b are randomly chosen from Z Ã n and hence SK is also random and independent in each session. Therefore, with the knowledge of previous session keys A cannot compute a new session key. Accordingly, the knownkey attack is impossible in our user authentication scheme.
Theorem 9. The proposed user authentication scheme could resist the unknown key-share attack and provide the explicit key confirmation property of the agreed session key.
Proof. The unknown key-share attack [43] is a situation that U i finishes the session by believing that he/she shares the session key SK correctly with S, however, S mistakenly believes that SK is instead shared with the adversary A. In the proposed scheme, S computes the session key SK after validating the messages M 1 . To validate the message {d, M 2 } and to get the confirmation about the agreed session key SK, U i computes SK = H(ID i jjajjbjjA i ), M 0 2 = H (ID i jjA i jjdjjSK) and authenticates S and accepts SK as the correct session key if the condition M 0 2 ¼ M 2 hold. Therefore, U i and S mutually authenticate each other and then compute the session key SK, accordingly our scheme enjoys the unknown key-share attack resilience and explicit key confirmation of the session key.
Theorem 10. The proposed user authentication scheme could provide efficient and user friendly password change option.
Proof. Our scheme gives the flexibility to the user to choose low-entropy password by himself/herself and change the password periodically without remote server's assistance [28,29]. Moreover, the proposed scheme detects the wrong password and identity during the login phase and password change phase. In these processes, if U i keys either wrong password PW Ã i or identity ID Ã i by mistake, the smart card reports the error message to U i without any consultation with S [37]. On the other hand, if A thefts U i 's smart card, however, he/she does not have the capability to update smart card's memory without correct password PW i , and consequently the denial of service (DoS) attack is eliminated in our scheme. If A tries to do the same with wrong password, the smart card will be locked immediately if the number of login failure exceeds the pre-defined limit.
Theorem 11. The proposed user authentication scheme could provide mutual authentication and session key agreement between the user and the remote server.
Proof. In our scheme, S authenticates U i 's login message M 1 = (ID i jjA i jjajjc i ) 2 mod n by verifying the conditions c 0 i > c i and A 0 i ¼ ?A i . Similarly, U i verifies S's response message hd, M 2 i by validating whether M 0 2 ¼ M 2 holds. Without hPW i , Ki, A cannot impersonate none of U i and S. Hence, the secure mutual authentication between U i and S is achieved in our scheme. Moreover, after mutual authentication, U i and S compute a random and unique session key SK = H (ID i jjajjbjjA i ), where A i = H(ID i jjKjjb i ).

Performance Analysis of the Proposed Scheme
In the following, we have performed the comparison analysis of our authentication scheme with the schemes proposed in [3,34,[57][58][59]. Here, the following notations are described for this purpose: • t h : Time needed to execute a hash function.
• t m : Time needed to execute a modular squaring computation.
• t q : Time needed to execute a square root operation with the modulus n.
The comparative result of the proposed scheme and the schemes in [3,34,[57][58][59] from the aspects of computation cost and communication round is listed in the Table 4. Our scheme proposed all the required phases where the schemes in [3,34,[57][58][59] do not have password change phase and smartcard revocation phase. Furthermore, we observed that our scheme is more robust and computation and communication cost efficient than the schemes devised in [3,34,[57][58][59].
We also given a comparison in Fig 1 against the number of operations used in the registration and login phased of the schemes in [3,34,[57][58][59] with the proposed scheme.
In 2011, based on QRP, Wu et al [57] proposed a user authentication scheme using smartcard. However, the scheme is vulnerable to (1) privileged-insider attack since the plaintext password is sending to the server for registration, (2) the scheme does not verify the keyed password and identity in the login phase, (3) the scheme does not have password change phase, (4) it has no provision to revoke the lost/stolen smart card, (5) no session key agreement method is proposed and (6) user anonymity and unlinkability are violated as the identity is transmitted in plaintext form. In the year 2012, in order to ensure users' privacy, Zhu [34] proposed a user authentication schemes for telecare medicine information systems. We carefully observed that the Zhu's scheme [34] is not free from attack since (1) the scheme does not verify the correctness of the login identity and password in the login phase, (2) the scheme does not verify the correctness of the login identity and password in the password change phase, (3) the scheme has no provision to revoke the smartcard in case if the smartcard is stolen or lost, (4) the scheme does not design a session key agreement method during login and authentication phases, (5) user anonymity and user untracibility are not present in this scheme. In 2013, Cheng et al. [58] proposed a a biometric-based remote user mutual authentication and session key agreement scheme using QRP. However, Yoon [60] showed that the scheme is insecure from the stolen smart card attack, server spoofing attack and does not provide session key forward secrecy. We also observed that the scheme does not have provision for password change and lost/stolen smart card revocation. In addition, the scheme does not verify the correctness of keyed identity and password in the login phase. Further, the scheme is also suffered from the ephemeral secrets leakage attack as the session key solely depended on the random numbers chosen by the user and server. In 2015, Lee [59] proposed an efficient smartcard-based two-factor remote user mutual authentication scheme. However, we observed that the scheme is not secure since (1) the scheme does not proposed any password change method, (2) the scheme does not proposed any lost/stolen smart card revocation method, (3) The scheme has no provision for session key agreement during login and authentication phases, (4) the scheme does not verify the keyed password and identity in the login phase, (5) the privileged-insider attack since the plaintext password is sending to the server for registration.
In the comparative analysis of the proposed scheme and the schemes [3,34,[57][58][59] with respect to security and functionality are included in the Table 5. Form Tables 4 and 5, it can be see that the proposed user authentication scheme includes more security and functional features compared to [3,34,[57][58][59].

Conclusions
The privacy and confidentiality of patient information and the untraceability and anonymity of patient have considered important factors from the security research communities for any user authentication system used in different healthcare applications. In keeping with these requirements, Wen proposed an enhanced user authentication scheme against Lee et al.'s authentication scheme for the EPR information system. However, this paper analyzed Wen's scheme and demonstrated that it has many security and design problems and thus, it may not be considered appropriate for the secure and efficient healthcare applications. We have then taken into consideration the intractability assumption of the quadratic residue problem in the multiplicative group and proposed another two-factor user authentication scheme with more security and functionality aspects than existing schemes. Improvement of a More Secure Anonymous User Authentication Scheme Table 5. Security and functionality comparison of the proposed scheme with other existing schemes.