Figures
Abstract
A smartcardbased user authentication scheme for wireless sensor networks (hereafter referred to as a SCAWSN scheme) is designed to ensure that only users who possess both a smart card and the corresponding password are allowed to gain access to sensor data and their transmissions. Despite many research efforts in recent years, it remains a challenging task to design an efficient SCAWSN scheme that achieves user anonymity. The majority of published SCAWSN schemes use only lightweight cryptographic techniques (rather than publickey cryptographic techniques) for the sake of efficiency, and have been demonstrated to suffer from the inability to provide user anonymity. Some schemes employ elliptic curve cryptography for better security but require sensors with strict resource constraints to perform computationally expensive scalarpoint multiplications; despite the increased computational requirements, these schemes do not provide user anonymity. In this paper, we present a new SCAWSN scheme that not only achieves user anonymity but also is efficient in terms of the computation loads for sensors. Our scheme employs elliptic curve cryptography but restricts its use only to anonymous usertogateway authentication, thereby allowing sensors to perform only lightweight cryptographic operations. Our scheme also enjoys provable security in a formal model extended from the widely accepted BellarePointchevalRogaway (2000) model to capture the user anonymity property and various SCAWSN specific attacks (e.g., stolen smart card attacks, node capture attacks, privileged insider attacks, and stolen verifier attacks).
Citation: Nam J, Choo KKR, Han S, Kim M, Paik J, Won D (2015) Efficient and Anonymous TwoFactor User Authentication in Wireless Sensor Networks: Achieving User Anonymity with Lightweight Sensor Computation. PLoS ONE 10(4): e0116709. https://doi.org/10.1371/journal.pone.0116709
Academic Editor: Muhammad Khurram Khan, King Saud University, Kingdom of Saudi Arabia, SAUDI ARABIA
Received: October 19, 2014; Accepted: December 14, 2014; Published: April 7, 2015
Copyright: © 2015 Nam et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited
Data Availability: All relevant data are within the paper and its Supporting Information files.
Funding: This work was supported by Konkuk University. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests: The authors have declared that no competing interests exist.
Introduction
The quest to understand realworld phenomena at a fine spatialtemporal resolution has led to a great increase in the interest in wireless sensor networks (WSNs). Where not already in place, a WSN is now being planned and deployed in various application settings such as wildlife monitoring, military surveillance, healthcare diagnostics, and vehicular tracking [1]. Providing an application service in a WSN environment introduces significant security challenges for the involved parties: sensors, users and gateways. One fundamental challenge is to establish a shared session key between a sensor and a user in an authenticated manner (known as authenticated key exchange) via a gateway, and thereby to prevent unauthorized access to sensitive sensor data and their transmissions. Since sensors have severe resource constraints and due to network characteristics such as unattended operation and unreliable communication channel, authenticated key exchange in WSNs is generally regarded as more challenging to achieve than in traditional networks with sufficient computing resources and preexisting infrastructures. Achieving authenticated key exchange becomes even more difficult when user anonymity is desired. As the concern for privacy increases in our lives, user anonymity has become a vital security property in various WSN applications as well as in many other applications like locationbased services, evoting, mobile roaming services, and anonymous web browsing.
A smartcardbased user authentication scheme for WSNs (in short, a scawsn scheme) allows a user holding its smart card issued by the gateway to achieve authenticated key exchange with a sensor, preferably in a way that its anonymity is preserved. Since the early work of Das [2], He et al. [3], Khan and Alghathbar [4] and Chen and Shih [5], all of which provide no keyexchange functionality, the design of scawsn schemes has attracted much attention from researchers due to their potential to be widely deployed, and a number of proposals offering various levels of security and efficiency have been presented [6–20]. Some schemes consider only authenticated key exchange [6, 8, 9, 12, 20] while others attempt to additionally provide user anonymity [7, 10, 11, 13–19]. Schemes such as the ones in [6, 12, 20] employ elliptic curve cryptography to provide perfect forward secrecy while most schemes [7–11, 13–19] use only lightweight cryptographic techniques, such as symmetric encryptions, message authentication codes and hash functions, to focus on improving the efficiency.
One common security requirement for scawsn schemes is to ensure that:
This requirement is commonly referred to as twofactor security [21–25] and is modelled via an adversary who is able to either extract all the information inside the smart card of a user or learn the password of the user, but not both. (Clearly, there is no means to prevent the adversary from impersonating a user if both the information in the smart card and the password of the user are disclosed.) The former requires physical access to the smart card and then mounting a sidechannel attack [26, 27] on the (lost, misplaced or stolen) card, while the latter can be achieved with shouldersurfing or by using a malicious card reader. Any attack exploiting the former ability is commonly called a stolen smart card attack and is considered practical under the assumption that users’ smart cards are nontamperresistant. Accordingly, scawsn schemes should be designed to achieve their intended security properties, such as authenticated key exchange and user anonymity, against stolen smart card attacks.only a user who is in possession of both a smart card and the corresponding password can be successfully authenticated (by the gateway) and access the sensor data.
Despite the many research efforts to date, it remains a challenging task to design an efficient scawsn scheme that provides user anonymity. The recent work of Wang and Wang [28, 29] shows that, under the nontamperresistance assumption of smart cards, no scawsn scheme can provide user anonymity without recourse to public key cryptography. This result is somewhat surprising because it implies that all existing anonymous schemes using only lightweight cryptographic techniques [7, 10, 11, 13–19] fail to achieve user anonymity in the presence of an adversary who can mount a stolen smart card attack. As an example of such a failure, we here take the recent scawsn scheme of Jiang et al. [19] which has been presented with a claim of user anonymity. To illustrate the failure, we only need to examine the user registration and login request phases of the scheme. Let MK be the master key of the gateway GW, and H be a cryptographic hash function. Then, the two phases proceed as follow:
 User Registration. A user U registers with GW as follows:
 U chooses its identity ID_{U} and password PW_{U}, generates a random number r, computes RPW_{U} = H(r‖PW_{U}), and submits ID_{U} and RPW_{U} to GW via a secure channel.
 If ID_{U} is valid, GW generates a temporary identity for U, TID_{U}, and computes TC_{U} = H(MK‖ID_{U}‖TE_{U}) and PTC_{U} = TC_{U}⊕RPW_{U}, where TE_{U} is the expiration time of TID_{U}. GW then stores (TID_{U}, ID_{U}, TE_{U}) in its verification table, and issues U a smart card containing {H(⋅), TID_{U}, TE_{U}, PTC_{U}}.
 U stores the random number r into the smart card, which then holds {H(⋅), TID_{U}, TE_{U}, PTC_{U}, r}.
 Login Request. U inserts its smart card into a card reader, and inputs ID_{U} and PW_{U}. The smart card retrieves the current timestamp T_{U}, selects a random key K_{U}, and computes TC_{U} = PTC_{U}⊕H(r‖PW_{U}), PKS_{U} = K_{U}⊕H(TC_{U}‖T_{U}) and C_{U} = H(ID_{U}‖K_{U}‖TC_{U}‖T_{U}). Then, U sends the login request message M_{U} = ⟨TID_{U}, C_{U}, PKS_{U}, T_{U}⟩ to GW.
Assume an attacker A who has obtained the information {H(⋅), TID_{U}, TE_{U}, PTC_{U}, r} stored on the smart card of user U. A eavesdrops and obtains the login request message M_{U} = ⟨TID_{U}, C_{U}, PKS_{U}, T_{U}⟩, and mounts the following offline dictionary attack.
 Step 1. A makes a guess $P{W}_{U}^{\prime}$ on the password PW_{U} and computes $T{C}_{U}^{\prime}=PT{C}_{U}\oplus H(r\Vert P{W}_{U}^{\prime})$ and ${K}_{U}^{\prime}=PK{S}_{U}\oplus H(T{C}_{U}^{\prime}\Vert {T}_{U})$.
 Step 2. For each possible identity $I{D}_{U}^{\prime}$, A computes ${C}_{U}^{\prime}=H(I{D}_{U}^{\prime}\Vert {K}_{U}^{\prime}\Vert T{C}_{U}^{\prime}\Vert {T}_{U})$ and verifies the correctness of $P{W}_{U}^{\prime}$ and $I{D}_{U}^{\prime}$ by checking that ${C}_{U}^{\prime}$ is equal to C_{U}. Note that, with an overwhelming probability, ${C}_{U}^{\prime}={C}_{U}$ if and only if $P{W}_{U}^{\prime}=P{W}_{U}$ and $I{D}_{U}^{\prime}=I{D}_{U}$.
 Step 3. A repeats Steps 1 and 2 until the correct password and identity are found.
This dictionary attack works because the identity space is very limited in practice, being usually even smaller than the password space [28, 29]. All other schemes using only lightweight cryptographic techniques are also vulnerable to similar dictionary attacks, as shown in [28, 29]. Note that simply using a symmetric encryption scheme cannot overcome the inherent failure. Although there are some published schemes that employ elliptic curve cryptography [6, 12, 20], these schemes were designed with no user anonymity in the first place and moreover, are not efficient in the sense that they impose expensive scalarpoint multiplications on resourceconstrained sensors.
In this paper, we present an efficient and provablyanonymous scawsn scheme that requires sensors to perform only lightweight cryptographic operations. Our scheme employs elliptic curve cryptography but restricts its use to anonymous usertogateway authentication in order not to impose any (expensive) publickey operations, such as scalarpoint multiplications and maptopoint operations, on sensors. We formally prove that our scheme achieves user anonymity as well as authenticated key exchange in an extension of the widely accepted model of Bellare et al. [30]. In proving the security properties, we assume that the cryptographic hash functions used are random oracles and the elliptic curve computational DiffieHellman problem is computationally hard. The extended model captures not only the notion of twofactor security but also standard attacks against scawsn schemes like node capture attacks, privileged insider attacks, and stolen verifier attacks.
The remainder of this paper is structured as follows. Section 2 describes an extended security model for the analysis of anonymous scawsn schemes. Section 3 presents our proposed scawsn scheme along with cryptographic primitives on which the security of the scheme relies. Section 4 provides proofs for the security properties of our proposed scheme in the extended security model. Section 5 concludes the paper with a comparative efficiency and security of our scheme and other scawsn schemes.
A Security Model for Anonymous scawsn Schemes
This section describes a security model extended from the Bellare et al.’s model [30] to analyze authentication and key exchange protocols of anonymous scawsn schemes. Our security model captures the notion of twofactor security as well as the resistance to node capture attacks, privileged insider attacks, stolen verifier attacks, and other common attacks. We provide two security definitions associated with the model, one for authenticated key exchange and one for user anonymity, which collectively define a secure, anonymous scawsn scheme.
Participants
Let 𝓢𝓝 and 𝓤 be the sets of all sensors and users, respectively, registered with the gateway GW. Let 𝓔 = 𝓤∪𝒮𝓝∪{GW}. We identify each entity E ∈ 𝓔 by a string, and interchangeably use E and ID_{E} to refer to this identifier string. To formally capture the user anonymity property, we assume that: (1) each user U ∈ 𝓤 has its pseudo identity PID_{U} in addition to the true identity ID_{U} and (2) the adversary 𝓐 is given only PID_{U} but not ID_{U}.
Protocol Executions
A user U ∈ may run multiple sessions of the authentication and key exchange protocol of a scawsn scheme, either serially or concurrently, to establish a session key with a sensor SN ∈ 𝒮𝓝 via assistance of the gateway GW. Therefore, at any given time, there could be multiple instances of the entities U, SN and GW. We use ${\Pi}_{E}^{i}$ to denote instance i of entity E ∈ 𝓔. Instances of U and SN are said to accept when they compute a session key in an execution of the protocol. We denote the session key of ${\Pi}_{E}^{i}$ by $s{k}_{E}^{i}$.
LongLived Keys
During the initialization of the protocol,
 each U ∈ 𝓤 chooses its password PW_{U} from a fixed dictionary 𝒟, and
 GW generates its master secret(s), issues a smart card to each U ∈ 𝓤, and shares a cryptographic key with each SN ∈ 𝒮𝓝.
Partnering
Informally, two instances are said to be partners of each other if they participate together in the same protocol session and as a result, compute the same session key. Formally, partnering between instances is defined in terms of the notion of session identifier. A session identifier (sid) is an identifier of a protocol session and is typically defined as a function of the messages exchanged in the session. Let $si{d}_{E}^{i}$ denote the sid of instance ${\Pi}_{E}^{i}$. We say that two instances, ${\Pi}_{U}^{i}$ and ${\Pi}_{SN}^{j}$, are partners if (1) both the instances have accepted and (2) $si{d}_{U}^{i}=si{d}_{SN}^{j}$.
Adversary Capabilities
We assume there exists an adversary 𝓐 running in a probabilistic polynomial time (ppt) in the security parameter κ, which represents the bitlength of session keys. We note that the size of the dictionary 𝒟 is a fixed constant that is independent of the security parameter κ. The ppt adversary 𝓐 has complete control of all communications between entities, can request for access to session keys and longterm keys, and can extract user’s information stored on the smart card. These capabilities of 𝓐 are modeled via the following oracle queries which are allowed for 𝓐 to make.
 $\mathsf{\text{Execute}}$ (${\Pi}_{U}^{i}$, ${\Pi}_{SN}^{j}$, ${\Pi}_{GW}^{k}$): This query models passive attacks against the protocol. It prompts an execution of the protocol between the instances ${\Pi}_{U}^{i}$, ${\Pi}_{SN}^{j}$ and ${\Pi}_{GW}^{k}$, and outputs the transcript of the protocol execution to 𝓐.

$\mathsf{\text{Send}}$
(${\Pi}_{E}^{i},m$): This query sends a message m to an instance ${\Pi}_{E}^{i}$, modelling active attacks against the protocol. Upon receiving m, the instance ${\Pi}_{E}^{i}$ proceeds according to the protocol specification. The message output by ${\Pi}_{E}^{i}$, if any, is returned to 𝓐. A query of the form $\mathsf{\text{Send}}$(${\Pi}_{U}^{i}$,
start :⟨SN, GW⟩) prompts ${\Pi}_{U}^{i}$ to initiate a protocol session with instances of SN and GW.  $\mathsf{\text{Reveal}}$ (${\Pi}_{E}^{i}$): This query captures the notion of known key security. The instance ${\Pi}_{E}^{i}$, upon receiving the query and if it has accepted, returns the session key, $s{k}_{E}^{i}$, back to 𝓐.
 $\mathsf{\text{CorruptLL}}(U)/\mathsf{\text{CorruptSC}}(U)$: These queries together capture the notion of twofactor security. The former returns the password of U while the latter returns the information stored in the smart card of U.
 $\mathsf{\text{CorruptLL}}$(SN): This query returns the longlived secret(s) of the sensor SN, modelling node capture attacks.
 $\mathsf{\text{CorruptLL}}$(GW), modelling privileged insider attacks.
 $\mathsf{\text{CorruptVFR}}$(GW): This query returns the password verifiers stored by GW, modelling stolen verifier attacks.
 $\mathsf{\text{TestAKE}}$ (${\Pi}_{E}^{i}$): This query is used for determining whether the protocol achieves authenticated key exchange or not. If ${\Pi}_{E}^{i}$ has accepted, then depending on a random bit b chosen by the oracle, 𝓐 is given either the real session key $s{k}_{E}^{i}$ if b = 1 or a random key drawn from the sessionkey space if b = 0.
 $\mathsf{\text{TestUA}}$(U): This query is used for determining whether the protocol provides user anonymity or not. Depending on a randomly chosen bit b, 𝓐 is given either the identity actually used for U in the protocol sessions (when b = 1) or a random identity drawn from the identity space (when b = 0).
$\mathsf{\text{CorruptLL}}$ queries all together also capture the notion of perfect forward secrecy. SN and GW are said to be corrupted when they are asked a $\mathsf{\text{CorruptLL}}$ query while U is considered as corrupted if it has been asked both $\mathsf{\text{CorruptLL}}$ and $\mathsf{\text{CorruptSC}}$ queries.
Authenticated Key Exchange (AKE)
The AKE security of an authentication and key exchange protocol P is defined via the notion of freshness. Intuitively, a fresh instance is one that holds a session key which should not be known to the adversary 𝓐, and an unfresh instance is one whose session key (or some information about the key) can be known by trivial means. A formal definition of freshness follows:
Definition 1 (Freshness). An instance ${\Pi}_{E}^{i}$ is fresh if none of the following occurs:
 𝓐 queries $\mathsf{\text{Reveal}}({\Pi}_{E}^{i})$ or $\mathsf{\text{Reveal}}({\Pi}_{{E}^{\prime}}^{j})$, where ${\Pi}_{{E}^{\prime}}^{j}$ is the partner of ${\Pi}_{E}^{i}$.
 𝓐 queries both $\mathsf{\text{CorruptLL}}(U)$ and $\mathsf{\text{CorruptSC}}(U)$ when U is E itself or the peer entity of E.
 𝓐 queries $\mathsf{\text{CorruptLL}}(SN)$ when SN is E itself or the peer entity of E.
 𝓐 queries $\mathsf{\text{CorruptLL}}(GW)$.
Note that this definition of freshness is unable to capture the notion of perfect forward secrecy. (As explained in the next section, the authentication and key exchange protocol of our scheme does not provide perfect forward secrecy.) The AKE security of protocol P is defined in the context of the following twostage experiment:
Experiment ExpAKE_{0}:
 Stage 1. 𝓐 makes any oracle queries at will, except that:
 𝓐 is not allowed to make the $\mathsf{\text{TestAKE}}$(${\Pi}_{E}^{i}$) query if the instance ${\Pi}_{E}^{i}$ is not fresh.
 𝓐 is not allowed to make the $\mathsf{\text{Reveal}}$(${\Pi}_{E}^{i}$) query if it has already made a $\mathsf{\text{TestAKE}}$ query to ${\Pi}_{E}^{i}$ or its partner instance.
 𝓐 is not allowed to access to the $\mathsf{\text{TestUA}}$ oracle.
 Stage 2. Once 𝓐 decides that Stage 1 is over, it outputs a bit b^{′} as a guess on the hidden bit b chosen by the $\mathsf{\text{TestAKE}}$ oracle. 𝓐 is said to succeed if b = b^{′}.
Let ${\mathsf{\text{SuccAKE}}}_{0}$ be the event that 𝓐 succeeds in the experiment ExpAKE_{0}, and ${\mathsf{\text{Adv}}}_{P}^{\mathrm{\text{AKE}}}(\U0001d4d0)$ denote the advantage of 𝓐 in breaking the AKE security of protocol P. Then, we define ${\mathsf{\text{Adv}}}_{P}^{\mathrm{\text{AKE}}}(\U0001d4d0)=2\cdot {\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{0}]1$.
Definition 2 (AKE Security). An authentication and key exchange protocol P is AKEsecure if ${\mathsf{\text{Adv}}}_{P}^{\mathrm{\text{AKE}}}(\U0001d4d0)$ is negligible for any ppt adversary 𝓐.
User Anonymity
An authentication and key exchange protocol that does not provide user anonymity may still be rendered AKEsecure. That is, the AKE security does not imply user anonymity. Therefore, a new, separate definition is necessary to capture the user anonymity property. Our definition of user anonymity is based on the notion of cleanness.
Definition 3 (Cleanness). A user U ∈ 𝓤 is clean if none of the following occurs:
 𝓐 queries both $\mathsf{\text{CorruptLL}}(U)$ and $\mathsf{\text{CorruptSC}}(U)$.
 𝓐 queries $\mathsf{\text{CorruptLL}}(GW)$.
Note that the definition of cleanness does not impose any restriction on making $\mathsf{\text{CorruptLL}}$ queries to sensors. This reflects our objective to achieve user anonymity even against sensors.
User anonymity is formalized in the context of the following twostage experiment:
Experiment ExpUA_{0}:
 Stage 1. 𝓐 makes any oracle queries at will, except that:
 𝓐 is not allowed to make the $\mathsf{\text{TestUA}}$(U) query if the user U is not clean.
 𝓐 is not allowed to corrupt GW and U if it has already made the $\mathsf{\text{TestUA}}(U)$ query.
 𝓐 is not allowed to access to the $\mathsf{\text{TestAKE}}$ oracle.
 Stage 2. Once 𝓐 decides that Stage 1 is over, it outputs a bit b^{′} as a guess on the hidden bit b chosen by the $\mathsf{\text{TestUA}}$ oracle. 𝓐 is said to succeed if b = b^{′}.
Let ${\mathsf{\text{SuccUA}}}_{0}$ be the event that 𝓐 succeeds in the experiment ExpUA_{0}, and ${\mathsf{\text{Adv}}}_{P}^{\mathrm{\text{UA}}}(\U0001d4d0)$ denote the advantage of 𝓐 in attacking the user anonymity of protocol P. Then, we define ${\mathsf{\text{Adv}}}_{P}^{\mathrm{\text{UA}}}(\U0001d4d0)=2\cdot {\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{0}]1$.
Definition 4 (User Anonymity). An authentication and key exchange protocol P provides user anonymity if ${\mathsf{\text{Adv}}}_{P}^{\mathrm{\text{UA}}}(\U0001d4d0)$ is negligible for any ppt adversary 𝓐.
Our Proposed Scheme
Our scawsn scheme restricts the use of elliptic curve cryptography to anonymous usertogateway authentication and thereby allows sensor nodes to perform only lightweight cryptographic operations such as symmetric encryption/decryption, MAC generation/verification, and hash function evaluation. We begin by describing the cryptographic building blocks on which the security of our scheme depends.
Building Blocks
Elliptic curve computational DiffieHellman (ECCDH) problem.
Let 𝔾 be an elliptic curve group of prime order q. Typically, 𝔾 will be a subgroup of the group of points on an elliptic curve over a finite field. Any elliptic curve and finite field recommended by NIST [31] can be used to instantiate the group 𝔾. The recent work of Choi et al. [20], for example, describes a typical elliptic curve group of a prime order. Let P be a generator of 𝔾. The ECCDH problem for 𝔾 is to compute xyP ∈ 𝔾 when given two elements (xP,yP) ∈ 𝔾^{2}, where $x,y{\in}_{R}{\mathbb{Z}}_{q}^{*}$. We say that the ECCDH assumption holds for 𝔾 if it is computationally infeasible to solve the ECCDH problem for 𝔾. Let ${\mathsf{\text{Adv}}}_{\mathbb{G}}^{\mathrm{\text{ECCDH}}}(\U0001d4d0)$ be the advantage of an algorithm 𝓐 in solving the ECCDH problem for 𝔾 and be defined as ${\mathsf{\text{Adv}}}_{\mathbb{G}}^{\mathrm{\text{ECCDH}}}(\U0001d4d0)=\mathrm{\text{Pr}}[\U0001d4d0(\mathbb{G},P,xP,yP)=xyP]$. We assume that ${\mathsf{\text{Adv}}}_{\mathbb{G}}^{\mathrm{\text{ECCDH}}}(\U0001d4d0)$ is negligible for all ppt algorithms 𝓐 (i.e., the ECCDH assumption holds in 𝔾). We denote by ${\mathsf{\text{Adv}}}_{\mathbb{G}}^{\mathrm{\text{ECCDH}}}(t)$ the maximum value of ${\mathsf{\text{Adv}}}_{\mathbb{G}}^{\mathrm{\text{ECCDH}}}(\U0001d4d0)$ over all algorithms 𝓐 running in time at most t.
Message authentication code schemes.
A message authentication code (MAC) scheme Σ is a pair of efficient algorithms ($\mathsf{\text{Mac}}$, $\mathsf{\text{Ver}}$) where: (1) the MAC generation algorithm $\mathsf{\text{Mac}}$ takes as input an ℓbit key k and a message m, and outputs a MAC σ; and (2) the MAC verification algorithm $\mathsf{\text{Ver}}$ takes as input a key k, a message m, and a MAC σ, and outputs 1 if σ is valid for message m under the key k or outputs 0 if σ is invalid. We require that Σ should achieve the strong existential unforgeability against chosen message attacks. To formally define this requirement, let ${\mathsf{\text{Adv}}}_{\Sigma}^{\mathrm{\text{EFCMA}}}(\U0001d4d0)$ be the probability that an adversary 𝓐, who mounts an adaptive chosen message attack against Σ with oracle access to ${\mathsf{\text{Mac}}}_{k}(\cdot )$ and ${\mathsf{\text{Ver}}}_{k}(\cdot )$, outputs a message/tag pair (m, σ) such that: (1) ${\mathsf{\text{Ver}}}_{k}(m,\sigma )=1$ and (2) σ has not been output by the oracle ${\mathsf{\text{Mac}}}_{k}(\cdot )$ as a MAC on the message m. The, we say that the MAC scheme Σ is secure if ${\mathsf{\text{Adv}}}_{\Sigma}^{\mathrm{\text{EFCMA}}}(\U0001d4d0)$ is negligible for every ppt adversary 𝓐. We use ${\mathsf{\text{Adv}}}_{\Sigma}^{\mathrm{\text{EFCMA}}}(t)$ to denote the maximum value of ${\mathsf{\text{Adv}}}_{\Sigma}^{\mathrm{\text{EFCMA}}}(\U0001d4d0)$ over all adversaries 𝓐 running in time at most t.
Cryptographic hash functions.
Let κ be the bitlength of session keys, ℓ be as defined for Σ, and ω be the bitlength of EID_{U} (see the registration phase of our scheme described in the next section). Then, our scheme uses three cryptographic hash functions H:{0, 1}* → {0, 1}^{κ}, J:{0, 1}* → {0, 1}^{ℓ}, and I:{0, 1}* → {0, 1}^{ω}. These hash functions are modelled as random oracles in our security proofs.
Symmetric encryption schemes.
A symmetric encryption scheme Δ is a pair of efficient algorithms ($\mathsf{\text{Enc}}$, $\mathsf{\text{Dec}}$) where: (1) the encryption algorithm $\mathsf{\text{Enc}}$ takes as input an ℓbit key k and a plaintext message m, and outputs a ciphertext c; and (2) the decryption algorithm $\mathsf{\text{Dec}}$ takes as input a key k and a ciphertext c, and outputs a message m. For an eavesdropping adversary 𝓐 against Δ, and for an integer n ≥ 1 and a random bit b ∈ _{R}{0, 1}, consider the following indistinguishability experiment where only a single encryption key is used:
Experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(\U0001d4d0,n,b)$
k ∈_{R} {0, 1}^{ℓ}
for i = 1 to n
(m_{i, 0}, m_{i,1}) ← 𝓐(Δ)
${c}_{i}\leftarrow {\mathsf{\text{Enc}}}_{k}({m}_{i,b})$
𝓐(c_{i})
b^{′} ← 𝓐, where b^{′} ∈ {0, 1}
return b^{′}
We use ${\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(\U0001d4d0)$ to denote the advantage of 𝓐 in violating the indistinguishability of Δ in experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(\U0001d4d0,n,b)$, and define it as We say that the symmetric encryption scheme Δ is secure if ${\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(\U0001d4d0)$ is negligible for every ppt eavesdropper 𝓐. Let ${\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(t)$ be the maximum value of ${\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(\U0001d4d0)$ over all 𝓐 running in time at most t.
We now claim that if a symmetric encryption scheme is secure with respect to a single encryption key, then it is also secure with respect to multiple encryption keys. Now consider the following indistinguishability experiment where d encryption keys are used:
Experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(\U0001d4d0,n,d,b)$
for i = 1 to d
k_{i} ∈_{R} {0, 1}^{ℓ}
for j = 1 to n
(m_{i,j,0}, m_{i,j,1}) ← 𝓐(Δ)
${c}_{i,j}\leftarrow {\mathsf{\text{Enc}}}_{{k}_{i}}({m}_{i,j,b})$
c_{i,j} ← Enc _{ki}(m_{i,j,b})
𝓐(c_{i,j})
b^{′} ← 𝓐, where b^{′} ∈ {0, 1}
return b^{′}
We define ${\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(\U0001d4d0)$ and ${\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(t)$ respectively as and where the maximum is over all 𝓐 running in time at most t.
Lemma 1. For any symmetric encryption scheme Δ, where d is as defined for experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$.
Proof. Assume an adversary 𝓐 who attacks the indistinguishability of Δ in ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ with time complexity t. The proof proceeds with a standard hybrid argument [32]. Consider a sequence of d + 1 hybrid experiments ${\mathbf{\text{Exp}}}_{\Delta ,\xi}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$, 0 ≤ ξ ≤ d, where each ${\mathbf{\text{Exp}}}_{\Delta ,\xi}^{\mathrm{\text{INDMEK}}}(\U0001d4d0$, n, d, b) is different from ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ only in that each c_{i,j} is set as follows: The experiments ${\mathbf{\text{Exp}}}_{\Delta ,0}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ and ${\mathbf{\text{Exp}}}_{\Delta ,d}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ at the extremes of the sequence are identical to the experiments ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,0)$ and ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,1)$, respectively. As we move from ${\mathbf{\text{Exp}}}_{\Delta ,\xi 1}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ to ${\mathbf{\text{Exp}}}_{\Delta ,\xi}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ in the sequence, we change the n ciphertexts c_{ξ,1}, …, c_{ξ,n} from encryptions of the first plaintexts to encryptions of the second plaintexts. Since there are d such moves from ${\mathbf{\text{Exp}}}_{\Delta ,0}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ to ${\mathbf{\text{Exp}}}_{\Delta ,d}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$, the inequality of the lemma follows immediately if we prove that the difference between the probabilities that 𝓐 outputs 1 in any two neighboring experiments ${\mathbf{\text{Exp}}}_{\Delta ,\xi 1}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ and ${\mathbf{\text{Exp}}}_{\Delta ,\xi}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ is at most ${\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(t)$. That is, to complete the proof, it suffices to show that for any 1 ≤ ξ ≤ d, (1) Let $\varepsilon =\mid \mathrm{\text{Pr}}[{\mathbf{\text{Exp}}}_{\Delta ,\xi 1}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)=1]\mathrm{\text{Pr}}[{\mathbf{\text{Exp}}}_{\Delta ,\xi}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)=1]\mid $. Then, to prove Equation 1, we will construct, from 𝓐, an adversary 𝓐_{ξ} who attacks the indistinguishability of Δ in ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(\U0001d4d0,n,b)$ with advantage ɛ.
𝓐_{ξ} begins by invoking adversary 𝓐, then proceeds to simulate the indistinguishability experiment for 𝓐, and finally ends by outputting whatever bit 𝓐 eventually outputs. In the simulated experiment, 𝓐_{ξ} generates the ciphertexts exactly as in the hybrid experiment ${\mathbf{\text{Exp}}}_{\Delta ,\xi}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,b,n)$ except that it generates c_{ξ,1}, …, c_{ξ,n} as follows:
When 𝓐 outputs the n plaintext pairs (m_{ξ,1,0},m_{ξ,1,1}), …, (m_{ξ,n,0},m_{ξ,n,1}), 𝓐_{ξ} outputs them as its own plaintext pairs in experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDSEK}}}({\U0001d4d0}_{\xi},n,b)$, receives in return the ciphertexts c_{1}, …, c_{n}, and sets c_{ξ,1} = c_{1}, …, c_{ξ,n} = c_{n}.
Then, it follows that:
 the probability that 𝓐_{ξ} outputs 1 when the given ciphertexts are the encryptions of the first plaintexts is equal to the probability that 𝓐 outputs 1 in the experiment ${\mathbf{\text{Exp}}}_{\Delta ,\xi 1}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$, and
 the probability that 𝓐_{ξ} outputs 1 when the given ciphertexts are the encryptions of the second plaintexts is equal to the probability that 𝓐 outputs 1 in the experiment ${\mathbf{\text{Exp}}}_{\Delta ,\xi}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$.
That is: Since 𝓐_{ξ} has time complexity t, it follows that ${\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDSEK}}}({\U0001d4d0}_{\xi})\le {\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDSEK}}}(t)$ by definition. This completes the proof of Equation 1 and hence the proof of Lemma 1.
Description of the Scheme
The scheme consists of three phases: the registration phase, the authentication and key exchange phase, and the password update phase. During the system initialization, the gateway GW determines the following public parameters: (1) an elliptic curve group 𝔾 with a generator P of prime order q, (2) a MAC scheme $\Sigma =(\mathsf{\text{Mac}},\mathsf{\text{Ver}})$, (3) a symmetric encryption scheme $\Delta =(\mathsf{\text{Enc}},\mathsf{\text{Dec}})$, and (4) three hash functions H, J and I. We assume that these parameters are known to all parties in the network including the adversary 𝓐. As part of the system initialization, GW chooses two master secrets $y\in {\mathbb{Z}}_{q}^{*}$ and z ∈ {0, 1}^{ℓ}, computes its public key Y = yP, and shares a secret key k_{GS} = J(ID_{SN}‖z) with each sensor SN.
Registration phase.
A user U should register itself with the gateway GW before it can ever gain access to the sensor network and data. The registration proceeds as follows:
 U chooses its identity ID_{U} and password PW_{U} at will, and submits the identity ID_{U} to GW via a secure channel.
 GW computes $EI{D}_{U}={\mathsf{\text{Enc}}}_{z}(I{D}_{U}\Vert I{D}_{GW})$ and issues U a smart card loaded with {EID_{U}, Y, ID_{GW}, 𝔾, P, Σ, Δ, H, J, I}. (We assume that q is implicit in 𝔾.)
 U replaces EID_{U} with XEID_{U} = EID_{U}⊕I(ID_{U}‖PW_{U}).
Authentication and key exchange phase.
U needs to perform this phase with SN and GW whenever it wishes to access to the sensor network and data. The steps of the phase are depicted in Fig. 1 and are described as follows:
 Step 1. U inserts its smart card into a card reader and inputs its identity ID_{U} and password PW_{U}. Then, the smart card retrieves the current timestamp T_{U}, selects two random $x\in {\mathbb{Z}}_{q}^{*}$ and k_{US} ∈ {0, 1}^{κ}, and computes After the computations, the smart card sends the message M_{1} = ⟨T_{U},ID_{SN},X,C_{U},σ_{U}⟩ to the gateway GW.
 Step 2. GW rejects the message M_{1} (and aborts the session) if T_{U} is not fresh. Otherwise, GW computes K_{UG} = yX and k_{UG} = J(T_{U}‖X‖Y‖K_{UG}), and checks if ${\mathsf{\text{Ver}}}_{{k}_{UG}}(I{D}_{GW}\Vert I{D}_{SN}\Vert $ T_{U}‖C_{U},σ_{U}) = 1. If the check fails, GW aborts the session. Otherwise, GW decrypts C_{U} with key k_{UG} and then EID_{U} with key z, and checks if the decryption of EID_{U} yields the same ID_{U} as produced through the decryption of C_{U}. If only the two IDs match, GW retrieves the current timestamp T_{GW}, computes and sends the message M_{2} = ⟨ID_{GW},T_{GW},T_{U},C_{GW},σ_{GW}⟩ to the sensor SN.
 Step 3. Upon receiving M_{2}, SN verifies that (1) T_{GW} is fresh and (2) ${\mathsf{\text{Ver}}}_{{k}_{GS}}(I{D}_{GW}\Vert I{D}_{SN}\Vert {T}_{GW}\Vert $ T_{U}‖C_{GW},σ_{GW}) = 1. If any of the verifications fails, SN aborts the session. Otherwise, SN decrypts C_{GW} to obtain k_{US} and computes the session key sk and the authenticator ρ_{SN} as follows: Then, SN sends the message M_{3} = ⟨ρ_{SN}⟩ to the user U.
 Step 4. With M_{3} in hand, U checks if ρ_{SN} is equal to H(k_{US}‖ID_{SN}‖T_{U}). U aborts the session if the check fails or otherwise computes the session key sk = H(k_{US}‖T_{U}‖ID_{SN}).
Password update phase.
One of the recommended guidelines for achieving better password security is to enforce regular password updates. In our scheme, users can change their passwords either noninteractively or interactively. The noninteractive password change procedure proceeds as follows:
 U inserts his smart card into a card reader and enters the identity ID_{U}, the current password PW_{U}, and the new password $P{W}_{U}^{\prime}$.
 The smart card computes $XEI{D}_{U}^{\prime}=XEI{D}_{U}\oplus I(I{D}_{U}\Vert P{W}_{U})\oplus I(I{D}_{U}\Vert P{W}_{U}^{\prime})$ and replaces XEID_{U} with $XEI{D}_{U}^{\prime}$.
Although this procedure is simple and noninteractive, it may render the smart card unusable if the user enters a wrong password by mistake or an adversary intentionally inputs an arbitrary password after gaining temporary access to the smart card. When an invalid password is entered, subsequent login requests of the user will be rejected unless it reregisters with the gateway. This problem can be addressed by storing a password verifier on the smart card, which is used to check the correctness of the usergiven password. However, as soon as the smart card contains a password verifier, the scheme becomes vulnerable to an offline dictionary attack under the nontamperresistance assumption of smart cards and, consequently, fails to achieve twofactor security. This is clearly unacceptable and, therefore, we suggest the following interactive password change procedure.
 U inserts his smart card into a card reader and enters the identity ID_{U}, the current password PW_{U}, and the new password $P{W}_{U}^{\prime}$.
 The smart card retrieves the current timestamp T_{U}, selects a random $x\in {\mathbb{Z}}_{q}^{*}$, and computes The smart card sends a password update request ⟨T_{U},X,C_{U}⟩ to the gateway GW.
 GW rejects the request if T_{U} is not fresh. Otherwise, GW computes K_{UG} = yX and k_{UG} = J(T_{U}‖X‖Y‖K_{UG}), decrypts C_{U} with key k_{UG} and then EID_{U} with key z, and checks whether the two decryptions return the same ID_{U}. If the check succeeds, GW computes ρ_{GW} = H(ID_{GW}‖ID_{U}‖X‖k_{UG}) and sends it to the smart card. Otherwise, GW sends a failure message to the smart card.
 The smart card aborts the password change procedure if it receives a failure message or ρ_{GW} is not equal to H(ID_{GW}‖ID_{U}‖X‖k_{UG}). Otherwise, it sets $XEI{D}_{U}=EI{D}_{U}\oplus I(I{D}_{U}\Vert P{W}_{U}^{\prime})$.
This interactive password change procedure provides a secure yet practical way of updating user password, though it is more expensive than the noninteractive one.
Performance and Security Comparison
In Table 1, we provide a comparative summary between our scheme and other scawsn schemes both in terms of computation and security. As shown in the table, our scheme requires the sensor SN to perform only lightweight cryptographic operations while enjoying provable anonymity in an extension of the widely accepted model of Bellare et al. [30]. While the recent schemes of Shi & Gong [12] and Choi et al. [20] provide forward secrecy, they impose 2 scalarpoint multiplications on the resourceconstrained sensor SN. Note that scalarpoint multiplication is much more expensive than the lightweight cryptographic operations considered in the table, such as symmetric encryption/decryption, MAC generation/verification, and hash function evaluation. Moreover, these two schemes fail to achieve user anonymity despite their use of elliptic curve cryptography. The schemes presented in [10, 11, 13–19] are computationally efficient, but suffer from the inherent failure of user anonymity. To the best of our knowledge, all existing scawsn schemes fall into one of the two classes.
According to Crypto++ 5.6.0 benchmarks that ran on an Intel Core 2 1.83 GHz processor under Windows Vista in 32bit mode, SHA1 and HMAC take 11.4 and 11.9 cycles per byte respectively; while AES (with 128bit key) takes 12.6 to 16.9 cycles per byte, depending on the operation mode used—see Table 2 and we refer interested readers to http://www.cryptopp.com/benchmarks.html for Crypto++ benchmarks for commonly used cryptographic algorithms.
Our scheme requires the sensor SN to perform 1E+1A+2H operations which amount to about 4.5H operations. Therefore, in terms of computational requirements for SN, our scheme is comparable with other scawsn schemes [11, 13–16, 18, 19] using only lightweight cryptographic techniques. Although the schemes of Vaidya et al. [10] and Kim et al. [17] require SN to perform only 2 hash function evaluations, these schemes do not achieve user anonymity and are vulnerable to a stolen smart card attack. Under the nontamperresistance assumption of smart cards, our scheme is the only one that provides user anonymity and resists stolen smart card attacks.
Security Proofs
We now prove that the authentication and key exchange protocol of our scheme is AKEsecure (in the sense of Definition 2) and provides user anonymity (in the sense of Definition 4). Recall that the security model described in Section 2 captures various scawsn specific attacks (such as stolen smart card attacks, node capture attacks, privileged insider attacks, and stolen verifier attacks) as well as other common attacks (like impersonation attacks, maninthemiddle attacks, replay attacks, and known key attacks) [21, 23, 25, 34]. Before providing formal security proofs in the model, we briefly discuss the security of our scheme against scawsn specific attacks.
 Stolen smart card attacks. Our scheme does not require a password verifier to be stored on the smart card of user U. Moreover, even if an adversary managed to obtain the ciphertext ${C}_{U}={\mathsf{\text{Enc}}}_{{k}_{UG}}(I{D}_{U}\Vert EI{D}_{U}\Vert {k}_{US})$, the adversary would be unable to exploit C_{U} as a password verifier since, under the ECCDH assumption, it is infeasible to compute k_{UG} = J(T_{U}‖X‖Y‖K_{UG}) from X and Y. Thus, our scheme is resistant against stolen smart card attacks.
 Node capture attacks. In our scheme, each sensor node SN holds its individual secret key k_{GS} = J(ID_{SN}‖z) which is shared only with the gateway GW. In other words, different sensor nodes have different secret keys (with an overwhelming probability). Thus, the secret key k_{GS} obtained by capturing a sensor node SN will be of no use in impersonating another sensor node SN^{′} who holds a secret key other than k_{GS}. Therefore, node capture attacks are not possible against our scheme.
 Privileged insider attacks. A privileged insider attack occurs when the gateway administrator can access a user’s password to impersonate the user. In our scheme, the gateway GW receives no passwordrelated information from the user U and does not manage any table for storing such information. It is thus clear that privileged insider attacks cannot be mounted against our scheme.
 Stolen verifier attacks. In a stolen verifier attack, the adversary attempts to impersonate a legitimate user by stealing the user’s password verifier stored on the gateway GW. However, in our scheme, GW does not store a password verifier of any kind but stores only two master secrets y and z which are selected independently of user passwords. Hence, our scheme is secure against stolen verifier attacks.
User Anonymity
Theorem 1. Our authentication and key exchange protocol, P, provides user anonymity in the random oracle model under the ECCDH assumption in 𝔾 and the security of the symmetric encryption scheme Δ.
Proof. Let 𝓐 be a ppt adversary against the user anonymity property of protocol P. We prove the theorem by making a series of modifications to the original experiment ExpUA_{0}, bounding the difference in the success probability of 𝓐 between two consecutive experiments, and ending up with an experiment where 𝓐 has a success probability of 1/2 (i.e., 𝓐 has no advantage). Let ${\mathsf{\text{SuccUA}}}_{i}$ denote the event that 𝓐 correctly guesses the hidden bit b chosen by the $\mathsf{\text{TestUA}}$ oracle in experiment ExpUA_{i}. Let ${t}_{UA}^{i}$ be the maximum time required to perform the experiment ExpUA_{i} involving the adversary 𝓐.
Experiment ExpUA_{1}. In this experiment, we simulate the random oracle J as follows:
Simulation of the J oracle: For each J query on a string str, the simulator first checks if an entry of the form (str,j) is in a list called JList which contains all the inputoutput pairs of J. If such an entry exists in JList, the simulator returns j as the output of the J query. Otherwise, the simulator chooses a random ℓbit string j^{′}, returns j^{′} in response to the query, and adds the entry (str,j^{′}) to JList.
For all other oracle queries of 𝓐, the simulator answers them as in the original experiment ExpUA_{0}. Then, ExpUA_{1} is perfectly indistinguishable from ExpUA_{0} and therefore, Claim 1 holds.
Claim 1. ${\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{1}]={\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{0}]$.
Experiment ExpUA_{2}. Here, we modify the experiment so that X is computed as follows:
The ExpUA_{2} modification:
 The simulator chooses a random exponent $a\in {\mathbb{Z}}_{q}^{*}$ and computes A = aP.
 For each user instance, the simulator chooses a random $r\in {\mathbb{Z}}_{q}^{*}$ and sets X = rA.
As a result of the modification, each K_{UG} is set to rayP for some random $r\in {\mathbb{Z}}_{q}^{*}$. Since the view of 𝓐 is identical between ExpUA_{2} and ExpUA_{1}, it follows that:
Claim 2. ${\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{2}]={\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{1}]$.
Experiment ExpUA_{3}. We next modify the computations of X and Y as follows:
The ExpUA_{3} modification:
 The simulator chooses two random elements A, B ∈ 𝔾 and sets Y = B.
 For each instance of clean users, the simulator chooses a random $r\in {\mathbb{Z}}_{q}^{*}$ and sets X = rA. For other instances, the simulator computes X as in experiment ExpUA_{2}.
 For each instance of clean users, the simulator sets each k_{UG} to a random ℓbit string. For other instances, the simulator computes k_{UG} as in experiment ExpUA_{2}.
Since k_{UG} is set to a random ℓbit string (for instances of clean users), the success probability of 𝓐 may be different between ExpUA_{3} and ExpUA_{2} if it makes an J(T_{U}‖X‖Y‖K_{UG}) query. However, this difference is bounded by Claim 3.
Claim 3. $\mid {\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{3}]{\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{2}]\mid \le 1/{q}_{J}\cdot {\mathsf{\text{Adv}}}_{\mathbb{G}}^{\mathrm{\text{ECCDH}}}({t}_{UA}^{3})$ , where q_{J} is the number of queries made to the J oracle.
Proof. We prove the claim via a reduction from the ECCDH problem which is believed to be hard. Assume that the success probability of 𝓐 is nonnegligibly different between ExpUA_{3} and ExpUA_{2}. Then we construct an algorithm 𝓐_{ECCDH} that solves the ECCDH problem in 𝔾 with a nonnegligible advantage. The objective of 𝓐_{ECCDH} is to compute and output the value W = uvP ∈ 𝔾 when given an ECCDHproblem instance (U = uP, V = vP) ∈ 𝔾^{2}. 𝓐_{ECCDH} runs 𝓐 as a subroutine while simulating all the oracles on its own.
𝓐_{ECCDH} handles all the oracle queries of 𝓐 as specified in experiment ExpUA_{3} but using U and V in place of X and Y. When 𝓐 outputs its guess b^{′}, 𝓐_{ECCDH} chooses an entry of the form (T_{U}‖X‖Y‖K,j) at random from JList and terminates outputting K/r. From the simulation, it is clear that 𝓐_{ECCDH} outputs the desired result W = uvP with probability at least 1/q_{J} if 𝓐 makes a J(T_{U}‖X‖Y‖K_{UG}) query for some instance of a clean user U ∈ 𝓤. This completes the proof of Claim 3.
Experiment ExpUA_{4}. We finally modify the experiment so that, for each clean user U ∈ 𝓤, a random identity $I{D}_{U}^{\prime}$ drawn from the identity space is used in place of the true identity ID_{U} in generating C_{U}.
Claim 4. $\mid {\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{4}]{\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{3}]\mid \le {\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDMEK}}}({t}_{UA}^{4})$ .
Proof. We prove the claim by constructing an eavesdropping adversary 𝓐_{INDMEK} who attacks the indistinguishability of Δ in ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$ with advantage equal to $\mid {\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{4}]{\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{3}]\mid $ (see Section 1 for details of experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$).
𝓐_{INDMEK} begins by choosing a random bit b ∈ {0, 1}. Then, 𝓐_{INDMEK} invokes the adversary 𝓐 and answers all the oracle queries of 𝓐 as in experiment ExpUA_{3} except that, for each clean user U ∈ 𝓤, it generates C_{U} by accessing its own encryption oracle as follows:
𝓐_{INDMEK} outputs $(I{D}_{U}\Vert EI{D}_{U}\Vert {k}_{US},I{D}_{U}^{\prime}\Vert EI{D}_{U}\Vert {k}_{US})$ as the first plaintextpair in the indistinguishability experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}$. Let c_{1} be the ciphertext received in return for the first pair. 𝓐_{INDMEK} sets C_{U} equal to the ciphertext c_{1}.
That is, 𝓐_{INDMEK} sets C_{U} to the encryption of either ID_{U}‖EID_{U}‖k_{US} or $I{D}_{U}^{\prime}\Vert EI{D}_{U}\Vert {k}_{US}$. Now when 𝓐 terminates and outputs its guess b^{′}, 𝓐_{INDMEK} outputs 1 if b = b^{′}, and 0 otherwise. Then, it is clear that:
 the probability that 𝓐_{INDMEK} outputs 1 when the first plaintexts are encrypted in the experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}$ is equal to the probability that 𝓐 succeeds in the experiment ExpUA_{3}, and
 the probability that 𝓐_{INDMEK} outputs 1 when the second plaintexts are encrypted in the experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}$ is equal to the probability that 𝓐 succeeds in the experiment ExpUA_{4}.
In the experiment ExpUA_{4}, the adversary 𝓐 gains no information on the hidden bit b chosen by the $\mathsf{\text{TestUA}}$ oracle because the identities of all clean users are chosen uniformly at random from the identity space. It, therefore, follows that ${\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{4}]=1/2$. This result combined with Claims 1–4 yields the statement of Theorem 1.
AKE Security
Theorem 2. As long as the MAC scheme Σ and the symmetric encryption scheme Δ are both secure, our authentication and key exchange protocol P is secure in the random oracle model under the ECCDH assumption in 𝔾.
Proof. Fix a ppt adversary 𝓐 against the security of the protocol P. To prove the theorem, we make a series of modifications to the original experiment ExpAKE_{0}, bounding the effect of each change in the experiment on the success probability of 𝓐 and ending up with an experiment where 𝓐 has a success probability of 1/2. We use ${\mathsf{\text{SuccAKE}}}_{i}$ to denote the event that 𝓐 correctly guesses the hidden bit b chosen by the $\mathsf{\text{Test}}$ oracle in experiment ExpAKE_{i}. Let ${t}_{AKE}^{i}$ be the maximum time required to perform the experiment ExpAKE_{i} involving the adversary 𝓐.
Experiment ExpAKE_{1}. This experiment is different from ExpAKE_{0} in that the random oracle J is simulated as follows:
Simulation of the J oracle: For each J query on a string str, the simulator first checks if an entry of the form (str,j) is in a list called JList which contains all the inputoutput pairs of J. If such an entry exists in JList, the simulator returns j as the output of the J query. Otherwise, the simulator chooses a random ℓbit string j^{′}, returns j^{′} in response to the query, and adds the entry (str,j^{′}) to JList.
The other oracle queries of 𝓐 are answered as in the original experiment ExpAKE_{0}. Then, since J is a random oracle, ExpAKE_{1} is perfectly indistinguishable from ExpAKE_{0}, and Claim 5 immediately follows.
Claim 5. ${\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{1}]={\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{0}]$.
Experiment ExpAKE_{2}. Here, we modify the experiment so that X is computed as follows:
The ExpAKE_{2} modification:
 The simulator chooses a random exponent $a\in {\mathbb{Z}}_{q}^{*}$ and computes A = aP.
 For each instance of users, the simulator chooses a random $r\in {\mathbb{Z}}_{q}^{*}$ and sets X = rA.
As a result, each K_{UG} is set to rayP for some random $r\in {\mathbb{Z}}_{q}^{*}$. Since the view of 𝓐 is identical between ExpAKE_{2} and ExpAKE_{1}, it follows that:
Claim 6. ${\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{2}]={\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{1}]$.
Experiment ExpAKE_{3}. We further modify the experiment as follows:
The ExpAKE_{3} modification:
 The simulator chooses two random elements A,B ∈ 𝔾 and sets Y = B.
 For each fresh instance, the simulator chooses a random $r\in {\mathbb{Z}}_{q}^{*}$ and sets X = rA. For other instances, the simulator computes X as in experiment ExpAKE_{2}.
 For each fresh instance, the simulator sets each k_{UG} to a random ℓbit string. For other instances, the simulator computes k_{UG} as in experiment ExpAKE_{2}.
Since k_{UG} is set to a random ℓbit string (for fresh instances), the success probability of 𝓐 may be different between ExpAKE_{2} and ExpAKE_{3} if it makes an J(T_{U}‖X‖Y‖K_{UG}) query. This difference is bounded by Claim 7.
Claim 7 $\mid {\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{3}]{\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{2}]\mid \le 1/{q}_{J}\cdot {\mathsf{\text{Adv}}}_{\mathbb{G}}^{\mathrm{\text{ECCDH}}}({t}_{AKE}^{3})$ , where q_{J} is the number of queries made to the J oracle.
Proof. We prove the claim via a reduction from the ECCDH problem which is believed to be hard. Assume that the success probability of 𝓐 is nonnegligibly different between ExpAKE_{2} and ExpAKE_{3}. Then we construct an algorithm 𝓐_{ECCDH} that solves the ECCDH problem in 𝔾 with a nonnegligible advantage. The objective of 𝓐_{ECCDH} is to compute and output the value W = uvP ∈ 𝔾 when given an ECCDHproblem instance (U = uP,V = vP) ∈ 𝔾^{2}. 𝓐_{ECCDH} runs 𝓐 as a subroutine while simulating all the oracles on its own.
𝓐_{ECCDH} handles all the oracle queries of 𝓐 as specified in experiment ExpAKE_{3} but using U and V in place of X and Y. When 𝓐 outputs its guess b^{′}, 𝓐_{ECCDH} chooses an entry of the form (T_{U}‖X‖Y‖K,j) at random from JList and terminates outputting K/r. From the simulation, it is clear that 𝓐_{ECCDH} outputs the desired result W = uvP with probability at least 1/q_{J} if 𝓐 makes a J(T_{U}‖X‖Y‖K_{UG}) query for some fresh instance of any U ∈ 𝓤. This completes the proof of Claim 7.
Experiment ExpAKE_{4}. This experiment is different from ExpAKE_{3} in that it is aborted if the following event $\mathsf{\text{Forge}}$ occurs.
$\mathsf{\text{Forge}}$: The event that the adversary 𝓐 makes a $\mathsf{\text{Send}}$ query that contains a MAC forgery.
Then we claim that:
Claim 8 $\mid {\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{4}]{\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{3}]\mid \le {q}_{\mathrm{\text{send}}}\cdot {\mathsf{\text{Adv}}}_{\Sigma}^{\mathrm{\text{EFCMA}}}({t}_{AKE}^{4})$ , where q_{send} is the number of queries made to the $\mathsf{\text{Send}}$ oracle.
Proof. Assume that the event $\mathsf{\text{Forge}}$ occurs with a nonnegligible probability. Then, we construct an algorithm ${\U0001d4d0}_{\mathsf{\text{EF}}}$ who generates, with a nonnegligible probability, a forgery against the MAC scheme Σ. The algorithm ${\U0001d4d0}_{\mathsf{\text{EF}}}$ is is given access to the ${\mathsf{\text{Mac}}}_{k}(\cdot )$ and ${\mathsf{\text{Ver}}}_{k}(\cdot )$ oracles. The goal of ${\U0001d4d0}_{\mathsf{\text{EF}}}$ is to produce a message/MAC pair (m,σ) such that: (1) ${\mathsf{\text{Ver}}}_{k}(m,\sigma )=1$ and (2) σ has not been output by the oracle ${\mathsf{\text{Mac}}}_{k}(\cdot )$ on input m.
Let n be the total number of MAC keys used in the sessions initiated via a $\mathsf{\text{Send}}$ query. ${\U0001d4d0}_{\mathsf{\text{EF}}}$ begins by choosing a random i ∈ {1, …, n}. Let k_{i} denote the i^{th} key among all the n MAC keys, and ${\mathsf{\text{Send}}}_{i}$ be any $\mathsf{\text{Send}}$ query that is expected to be answered and/or verified using k_{i}. ${\U0001d4d0}_{\mathsf{\text{EF}}}$ runs 𝓐 as a subroutine and answers the oracle queries of 𝓐 as in experiment ExpAKE_{3} except that: it answers all ${\mathsf{\text{Send}}}_{i}$ queries by accessing its ${\mathsf{\text{Mac}}}_{k}(\cdot )$ and ${\mathsf{\text{Ver}}}_{k}(\cdot )$ oracles. As a result, the i^{th} MAC key k_{i} is not used during the simulation. If $\mathsf{\text{Forge}}$ occurs against an instance who holds ${\U0001d4d0}_{\mathsf{\text{EF}}}$ halts and outputs the message/MAC pair generated by 𝓐 as its forgery. Otherwise, ${\U0001d4d0}_{\mathsf{\text{EF}}}$ terminates with a failure indication.
If the guess i is correct, then the simulation is perfect and ${\U0001d4d0}_{\mathsf{\text{EF}}}$ achieves its goal. Namely, ${\mathsf{\text{Adv}}}_{\Sigma}^{\mathrm{\text{EFCMA}}}({\U0001d4d0}_{\mathsf{\text{EF}}})=\mathrm{\text{Pr}}[\mathsf{\text{Forge}}]/n$. Since n ≤ q_{send} and ${\U0001d4d0}_{\mathsf{\text{EF}}}$ runs in time at most ${t}_{AKE}^{4}$, we get
This completes the proof of Claim 8.
Experiment ExpAKE_{5}. We next modify the way of answering queries to the H oracle as follows: Simulation of the H oracle: For each H query on a string str, the simulator first checks if an entry of the form (str,h) is in a list called HList which is maintained to store inputoutput pairs of H. If it is, h is the answer to the hash query. Otherwise, the simulator chooses a random κbit string h^{′}, answers the query with h^{′}, and adds the entry (str,h^{′}) to HList.
The other oracle queries of 𝓐 are handled as in experiment ExpAKE_{4}. Since ExpAKE_{5} is perfectly indistinguishable from ExpAKE_{4}, it is clear that:
Claim 9. ${\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{5}]={\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{4}]$
Experiment ExpAKE_{6}. We finally modify the experiment so that the session key sk is set to a random κbit string for each fresh instance and its partner. Accordingly, the success probability of 𝓐 may be different between ExpAKE_{6} and ExpAKE_{5} if it asks an H query of the form H(k_{US}‖T_{U}‖ID_{SN}) for some uncorrupted U ∈ 𝓤 and SN ∈ 𝒮𝓝. But the difference is bounded by:
Claim 10 $\mid {\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{6}]{\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccAKE}}}_{5}]\mid \le \frac{1}{{q}_{H}}\cdot {\mathsf{\text{Adv}}}_{\Delta}^{\mathrm{\text{INDMEK}}}({t}_{AKE}^{6})$ , where q_{H} is the number of queries made to the H oracle.
Proof. We prove the claim by constructing an eavesdropper 𝓐_{INDMEK} who attacks the indistinguishability of Δ in experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}(\U0001d4d0,n,d,b)$. 𝓐_{INDMEK} invokes the adversary 𝓐 and answers all the oracle queries of 𝓐 as in experiment ExpAKE_{5} except that it generates each C_{GW} to be sent to a fresh sensor instance by accessing its own encryption oracle as follows:
Let ${k}_{US}^{\prime}\ne {k}_{US}$ be a random string chosen from {0, 1}^{κ}. 𝓐_{INDMEK} outputs $({k}_{US},{k}_{US}^{\prime})$ as a plaintext pair in the indistinguishability experiment ${\mathbf{\text{Exp}}}_{\Delta}^{\mathrm{\text{INDMEK}}}$. Let c be the ciphertext received in return for the plaintext pair. 𝓐_{INDMEK} sets C_{GW} equal to the ciphertext c.
That is, each C_{GW} is set to the encryption of either k_{US} or ${k}_{US}^{\prime}$. Now when 𝓐 terminates and outputs its guess b^{′}, 𝓐_{INDMEK} selects an entry of the form (k_{US}‖T_{U}‖ID_{SN},h) at random from HList and outputs 0 if k = k_{US}, and 1 otherwise. If 𝓐 asks an H query of the form H(k_{US}‖T_{U}‖ID_{SN}) for some uncorrupted U ∈ 𝓤 and SN ∈ 𝒮𝓝, 𝓐_{INDMEK} correctly guesses the bit b in its indistinguishability experiment with probability at least $\frac{1}{{q}_{H}}$ and therefore, Claim 10 follows.
In experiment ExpAKE_{6}, the adversary 𝓐 obtains no information on the hidden bit b chosen by the $\mathsf{\text{TestUA}}$ oracle since the session keys of all fresh instances are selected uniformly at random from {0, 1}^{κ}. Therefore, it follows that ${\mathrm{\text{Pr}}}_{P,\U0001d4d0}[{\mathsf{\text{SuccUA}}}_{4}]=1/2$. This result combined with Claims 5–10 completes the proof of Theorem 2.
Concluding Remarks
With the continuing advancements in sensor technologies, WSNs will play an increasingly important role in commercial, government and military settings. A number of recent high profiles such as the revelations by Edward Snowden that the US National Security Agency has been conducting massive online surveillance of both US and nonUS citizens highlighted the potential of ensuring user privacy and anonymity. In WSNs, for example, designing a secure and efficient user authentication scheme without compromising user anonymity remains an area of active research.
In this work, we have presented a scawsn scheme, a smartcardbased user authentication scheme for wireless sensor networks, which achieves user anonymity without imposing (expensive) public key operations on sensors. Our result in this paper does not contradict the result of Wang and Wang [28, 29] but rather supports and clarifies it: in order for a scawsn scheme to achieve user anonymity, the use of public key cryptography is inevitable but, if forward secrecy is not desired, can be avoided at least on the sensor side. Extending our result to the case of threefactor authentication [34] would be an interesting future work.
Acknowledgments
All authors, especially the corresponding author Sangchul Han, would like to thank the anonymous reviewers for their time and invaluable comments and suggestions on this paper.
Author Contributions
Conceived and designed the experiments: JN KKRC JP DW. Performed the experiments: SH JP MK. Analyzed the data: SH JP DW. Contributed reagents/materials/analysis tools: JP DW. Wrote the paper: JN KKRC SH MK JP DW. Designed the scheme: JN KKRC DW. Proved the security of the scheme: JN KKRC.
References
 1. Rawat P, Singh K, Chaouchi H, Bonnin J (2014) Wireless sensor networks: a survey on recent developments and potential synergies. The Journal of Supercomputing 68: 1–48.
 2. Das M (2009) Twofactor user authentication in wireless sensor networks. IEEE Transactions on Wirelelss Communications 8: 1086–1090.
 3. He D, Gao Y, Chan S, Chen C, Bu J (2010) An enhanced twofactor user authentication scheme in wireless sensor networks. Ad Hoc & Sensor Wireless Networks 10: 361–371.
 4. Khan M, Alghathbar K (2010) Cryptanalysis and security improvements of “twofactor user authentication in wireless sensor networks”. Sensors 10: 2450–2459. pmid:22294935
 5. Chen T, Shih W (2010) A robust mutual authentication protocol for wireless sensor networks. ETRI Journal 32: 704–712.
 6. Yeh H, Chen T, Liu P, Kim T, Wei H (2011) A secured authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors 11: 4767–4779. pmid:22163874
 7. Kumar P, Choudhury A, Sain M, Lee S, Lee H (2011) RUASN: a robust user authentication framework for wireless sensor networks. Sensors 11: 5020–5046. pmid:22163888
 8. Kumar P, Lee S, Lee H (2012) ESAP: efficientstrong authentication protocol for healthcare applications using wireless medical sensor networks. Sensors 12: 1625–1647. pmid:22438729
 9.
Yoo S, Park K, Kim J (2012) A securityperformancebalanced user authentication scheme for wireless sensor networks. International Journal of Distributed Sensor Networks 2012: Article ID 382810.
 10.
Vaidya B, Makrakis D, Mouftah H (2012) Twofactor mutual authentication with key agreement in wireless sensor networks. Security and Communication Networks.
 11. Xue K, Ma C, Hong P, Ding R (2013) A temporalcredentialbased mutual authentication and key agreement scheme for wireless sensor networks. Journal of Network and Computer Applications 36: 316–323.
 12.
Shi W, Gong P (2013) A new user authentication protocol for wireless sensor networks using elliptic curves cryptography. Internation Journal of Distributed Sensor Networks 2013: Article ID 730831.
 13. Li C, Weng C, Lee C (2013) An advanced temporal credentialbased security scheme with mutual authentication and key agreement for wireless sensor networks. Sensors 13: 9589–9603. pmid:23887085
 14. Kumar P, Gurtov A, Ylianttila M, Lee S, Lee H (2013) A strong authentication scheme with user privacy for wireless sensor networks. ETRI Journal 35: 889–899.
 15.
He D, Kumar N, Chen J, Lee C, Chilamkurti N, Yeo S (2013) Robust anonymous authentication protocol for healthcare applications using wireless medical sensor networks. Multimedia Systems.
 16.
Chi L, Hu L, Li H, Chu J (2014) Analysis and improvement of a robust user authentication framework for ubiquitous sensor networks. International Journal of Distributed Sensor Networks 2014: Article ID 637684.
 17. Kim J, Lee D, Jeon W, Lee Y, Won D (2014) Security analysis and improvements of twofactor mutual authentication with key agreement in wireless sensor networks. Sensors 14: 6443–6462. pmid:24721764
 18.
Khan M, Kumari S (2014) An improved user authentication protocol for healthcare services via wireless medical sensor networks. Internation Journal of Distributed Sensor Networks 2014: Article ID 347169.
 19.
Jiang Q, Ma J, Lu X, Tian Y (2014) An efficient twofactor user authentication scheme with unlinkability for wireless sensor networks. PeertoPeer Networking and Applications.
 20. Choi Y, Lee D, Kim J, Jung J, Nam J, Won D (2014) Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors 14: 10081–10106. pmid:24919012
 21. Khan M, He D (2012) A new dynamic identitybased authentication protocol for multiserver environment using elliptic curve cryptography. Security and Communication Networks 5: 1260– 1266.
 22. Khan M, Kumari S, Singh P (2013) Cryptanalysis of an ‘efficientstrong authentiction protocol (ESAP) for healthcare applications using wireless medical sensor networks’. KSII Transactions on Internet & Information Systems 7: 967–979.
 23. He D, Kumar N, Khan M, Lee J (2013) Anonymous twofactor authentication for consumer roaming service in global mobility networks. IEEE Transactions on Consumer Electronics 59: 811–817.
 24. Xie Q, Hu B, Tan X, Bao M, Yu X (2014) Robust anonymous twofactor authentication scheme for roaming service in global mobility network. Wireless Personal Communications 74: 601–614.
 25. He D, Zhang Y, Chen J (2014) Cryptanalysis and improvement of an anonymous authentication protocol for wireless access networks. Wireless Personal Communications 74: 229–243.
 26.
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. Proceedings of CRYPTO 1999, Santa Barbara, California, USA, pp. 388–397.
 27. Messerges T, Dabbish E, Sloan R (2002) Examining smartcard security under the threat of power analysis attacks. IEEE Transactions on Computers 51: 541–552.
 28. Wang D, Wang P (2014) Understanding security failures of twofactor authentication schemes for realtime applications in hierarchical wireless sensor networks. Ad Hoc Networks 20: 1–15.
 29. Wang D, Wang P (2014) On the anonymity of twofactor authentication schemes for wireless sensor networks: Attacks, principle and solutions. Computer Networks 73: 41–57.
 30.
Bellare M, Pointcheval D, Rogaway P (2000) Authenticated key exchange secure against dictionary attacks. Proceedings of EUROCRYPT 2000, Bruges, Belgium, pp. 139–155.
 31.
NIST (1999) Recommended elliptic curves for federal government use. Avaliable: http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf.
 32. Goldwasser S, Micali S (1984) Probabilistic encryption. Journal of Computer and System Sciences 28: 270–299.
 33.
Han W (2011) Weakness of a secured authentication protocol for wireless sensor networks using elliptic curves cryptography. IACR Cryptology ePrint Archive. Available: http://eprint.iacr.org/2011/293.
 34. He D, Kumar N, Lee J, Sherratt R (2014) Enhanced threefactor security protocol for USB mass storage devices. IEEE Transactions on Consumer Electronics 60: 30–37.