Fairuz Shohaimay and Eddie Shahril Ismail

1Department of Mathematical Sciences,Faculty of Science and Technology,Universiti Kebangsaan Malaysia,UKM Bangi,43600,Selangor,Malaysia

2Department of Mathematics,Faculty of Computer and Mathematical Sciences,Universiti Teknologi MARA Pahang,Raub Campus,Raub,27600,Pahang,Malaysia

Abstract: Communication technology has advanced dramatically amid the 21st century,increasing the security risk in safeguarding sensitive information.The remote password authentication(RPA)scheme is the simplest cryptosystem that serves as the first line of defence against unauthorised entity attacks.Although the literature contains numerous RPA schemes, to the best of the authors’knowledge, only few schemes based on the integer factorisation problem (IFP) and the discrete logarithm problem (DLP) that provided a provision for session key agreement to ensure proper mutual authentication.Furthermore, none of the previous schemes provided formal security proof using the random oracle model.Therefore,this study proposed an improved RPA scheme with session key establishment between user and server.The design of the proposed RPA scheme is based on the widely established Dolev-Yao adversary model.Moreover, as the main contribution, a novel formal security analysis based on formal definitions of IFP and DLP under the random oracle model was presented.The proposed scheme’s performance was compared to that of other similar competitive schemes in terms of the transmission/computational cost and time complexity.The findings revealed that the proposed scheme required higher memory storage costs in smart cards.Nonetheless,the proposed scheme is more efficient regarding the transmission cost of login and response messages and the total time complexity compared to other scheme of similar security attributes.Overall, the proposed scheme outperformed the other RPA schemes based on IFP and DLP.Finally, the potential application of converting the RPA scheme to a user identification(UI) scheme is considered for future work.Since RPA and UI schemes are similar,the proposed approach can be expanded to develop a provably secure and efficient UI scheme based on IFP and DLP.

Keywords: Authentication scheme; discrete logarithm; factorisation;password;provable security

1 Introduction

In the 21stcentury, anything is possible on the internet by using applications and services, like operational networks, databases, banking services, and e-commerce, that are available to anyone,anywhere.Although users can enjoy access to the services remotely, the convenience offered is not without a cost.The communication between users and service providers often involves sensitive data dan messages being transmitted through insecure public channel.Furthermore,communication technology has progressed rapidly, thereby increasing the security risk security to protect private information.The remote password authentication (RPA) scheme is a cryptosystem that allows authorised users access to securely communicate with the service providers.Therefore,the RPA scheme serves as the first line of defence against dangerous security threats.

1.1 Related Works

In 1999,Yang et al.[1]proposed two RPA schemes with smart cards,using timestamp and nonce(random number used once).The schemes adopted the concept of an ID-based signature scheme by Shamir[2]without the need to maintain a password verification table.Furthermore,the schemes enabled users to easily select their passwords and demonstrated resistance to replay and forged login attacks.The schemes’security foundation was grounded on two cryptographic primitives: Integer Factorisation Problem(IFP)and Discrete Logarithm Problem(DLP).Nevertheless,some improved schemes[3–9]have been proposed to overcome the security concerns of Yang et al.[1]scheme while still maintaining the cryptographic primitives of IFP and DLP.

Fig.1 presents the literature development of RPA schemes based on Yang et al.[1]scheme.The related works are defined as studies that have proposed improvements of RPA schemes and maintained the security foundation of IFP and DLP.These works are selected from the lists of citations and references of the previous studies.As an example, from Fig.1, the enhancement scheme proposed by Shen et al.[4]was designed based on cryptanalysis of Yang et al.[1]scheme.

Figure 1: Development of RPA schemes based on Yang et al.[1] scheme using two cryptographic primitives(IFP and DLP)

Shen et al.[4] provided one of the most significant enhancements to scheme by Yang et al.[1], arguing that adversaries could exploit users’sensitive data through fake servers.As a result, the problem was rectified by incorporating mutual authentication between user and server.Nevertheless,the scheme was shown to be vulnerable to existing and novel security attacks, such as replay,secret-key guessing, and forgery attacks [10–13].From there, numerous modifications [10–16] have been proposed.These studies reported their schemes to be more practical and efficient than earlier comparable schemes while maintaining a security basis of similar cryptographic primitives(i.e.,IFP and DLP)during mutual authentication.Notably,Liu et al.[10]developed a novel nonce-based RPA scheme that could prevent forged login without incurring additional computational cost on the smart card.

Another notable contribution is the improved scheme by Yang et al.[8],which could withstand forgery,password-guessing,smart card loss,and replay attacks.Subsequently,Kim et al.[17]demonstrated that Yang et al.[8] scheme could not withstand previous forgery attacks.Later, Khan [18]demonstrated the vulnerabilities in[8]and presented an enhanced scheme with mutual authentication to address the problem.Nevertheless, other studies [19], [20] have shown that Kim et al.[17] is vulnerable to forgery attacks.As a result,Giri et al.[19]proposed a new scheme to resist the forgery attacks,as well as other types of threats,such as password-guessing,smart card loss,and replay attacks.The most recent related study by Ismail et al.[20]presented a new attack and proposed modifications to address the new threats.

Awasthi et al.[15] demonstrated that the scheme by Shen et al.[4] is vulnerable to forged login attacks and presented additional security concerns about the scheme by Liu et al.[10].Hence,Awasthi et al.[15]proposed an enhanced scheme for resisting forgery attacks with reduced smart card memory storage cost.Unfortunately, the scheme was shown to be vulnerable to impersonation, insider, and password-guessing attacks by An[21],which also suggested improvements to make the scheme more secure to resist all of the mentioned attacks while supporting mutual authentication.Furthermore,Kumari et al.[16]highlighted that scheme proposed by Awasthi et al.[15]could not resist the claimed attacks.Therefore, they recommended a three-factor scheme authentication improvement with the added security of the user’s fingerprint.

Kumari et al.[16] proposed the latest RPA scheme construction based on IFP and DLP.The study was the first to introduce a scheme that included a shared session key between the user and the server to eliminate the man-in-the-middle attack, accompanied by the most comprehensive and informal security analysis.The proposed scheme was shown to be resistant to many security attacks, including the smart card loss, replay, impersonation, forgery, offline password-guessing,denial-of-service, insider, and stolen verifier attacks.Nevertheless, the scheme’s computational and communication costs were the highest among all the schemes in Fig.1.

1.2 Motivation and Contributions

Security analysis,like that of other cryptosystems,is imperative in developing new RPA schemes.Although numerous RPA schemes based on IFP and DLP have been proposed in the literature,none of them provides security proof under the random oracle model.The security proof requirement has been fulfilled by many schemes constructed based on other cryptographic primitives in the literature,such as IFP [22], Elliptic Curve Discrete Logarithm Problem (ECDLP) [23], and chaotic maps [24].Although the study by Kumari et al.[16]featured many security attributes,no formal security proof of its scheme was presented.Consequently, despite being the most secure among similar works, the proposed scheme had to sacrifice its performance efficiency.Therefore, the purpose of this study is two-fold.First,the aim of this study is to propose an efficient RPA scheme with session key agreement based on two cryptographic primitives(IFP and DLP).Next,the main contribution of this study is to present a formal security analysis based on the formal definitions of IFP and DLP under the random oracle model to prove the security of the proposed scheme.

1.3 Organisation of the Paper

The remainder of this paper is organised as follows.Section 2 presents the mathematical and security preliminaries.Section 3 then explains the newly proposed scheme.Section 4 presents the proposed scheme’s formal and informal security analyses.Section 5 provides a comparative study of the previous schemes of[4,15,16],and the present scheme.Section 6 discusses how the RPA scheme could be used to develop a user identification(UI)scheme.Finally,Section 7 presents the conclusion and recommendation.

2 Preliminaries

This section provides a brief overview of the mathematical concepts that served as the security foundation in the development of the proposed scheme in this study,including the definitions of IFP[25],DLP[26],and the one-way hash function(e.g.,MD5[27]or SHA-256[28]).The adversary model and security goals were also considered.Tab.1 shows the notations and descriptions used in this paper.

Table 1: Notations and descriptions

Table 1:Continued

2.1 IFP

Given a 2048-bit integern=p×q,find the primespandqthat are each at least 1024-bit length.Ifpandqare known,it will be easy to computen.Findingpandqgivenn,on the other hand,is a computationally intractable problem.

2.2 DLP

Assume thatgis a primitive element of a finite field Fpwith orderp.Consider the equation,

Giveng,α, andp, calculating the modular exponentiationβ=gαmodpis trivial.However,finding the exponentαgiveng,β,andp,it is computationally infeasible.

DLP is defined over a multiplicative groupwheren=p×qof orderφ(n)=(p-1)(q-1).Consider the equation,

If the factorisation of orderφ(n)is known andφ(n)has(small)prime factors,an instance of the DLP incan be reduced to two instances of the DLP inandusing Pohlig et al.[29]algorithm.Nevertheless, it is believed that finding the exponentαis intractable for DLP in the multiplicative groups of finite fields[30].

2.3 Hash Function

A cryptographic one-way hash functionh:X= {0, 1}*→Y= {0, 1}lhas the following properties.

■The functionhtakes an arbitrary length inputx∈Xand returns a fixedl-bit length message digesty∈Y.

■The functionhis one-way;that is,given the inputx,computingh(x)=yis trivial.However,giveny,it is computationally infeasible to find the inverseh-1(y)=x.

■The functionhis collision-resistant,which means that finding two inputsx1x2such thath(x1)=h(x2)is computationally infeasible.

The SHA-256 hash function was adopted for the proposed scheme.Other secure hash algorithms,such as SHA-1,SHA-224,SHA-384,SHA-512,and SHA-512/256[28],can also be implemented.

2.4 Adversary Model

For communications over an insecure public channel,the Dolev et al.[31]adversary model was considered.Accordingly,the following assumptions were made.

■Assumption A1:An adversaryAcan trap,delete,or alter the transmitted messages.

■Assumption A2:An adversaryAcan obtain the stored information in the smart card using power monitoring techniques[32,33].

■Assumption A3: An adversaryAcan guess the identity or password using the dictionary attack.However,the adversaryAcannot guess the identity and password simultaneously using any online/offline attacks within polynomial time[34].

According to this adversary model, the following two cases as per [35] were also taken into account.

■Case 1:An adversaryAcan be a non-registered user who tries to perform various attacks against the authentication system.

■Case 2:An adversaryAcan be a registered user who tries to obtain the secret parameters of the server by which he/she can mount various attacks against the authentication system.

2.5 Security Goals

The following are the security goals of an ideal RPA scheme defined in this study that should be achieved,as listed in[36].

■Mutual authentication:Both the server and the user can verify the legitimacy of each other.Furthermore,no illegal users or servers can impersonate a legal user or server.

■Session key agreement: A session key should be created at the end of a successful mutual authentication process.Subsequently, the data transmitted between both entities should be encrypted to ensure confidentiality and secrecy.

■User anonymity: During data transmission over a public channel, a user’s valid identity should be concealed.Even if adversaryAcan analyse login information or gain access to services, user anonymity protects user’s sensitive data, such as personal details, financial information,and social circles,from unauthorised parties.

3 Proposed Scheme

This section presents the proposed RPA scheme based on the security of IFP and DLP and consisted of five phases:(1)initialisation phase,(2)registration phase,(3)login phase,(4)authentication phase, and (5) password change phase.Furthermore, three entities were also considered: KIC, userUi, and serverS.In this scheme, the KIC is a trusted authority responsible for generating global parameters,computing user and server secret information,and providing new users with smart cards.

3.1 Initialisation Phase

The KIC sets up the server’s public and secret parameters during the initialisation phase.

1.Generate two large primesp=2p1+1 andq=2q1+1 of 1024-bit length,wherep1andq1are both primes.

2.Computen=p×qandφ(n)=(p-1)·(q-1).

3.Find a prime numbereand integerdsuch thate·d≡1 modφ(n),whereeis the serverS’s public-key anddis the corresponding private key.

4.Find an integerg,which is a primitive element for both finite prime fields Fpand Fq.

5.Decide on a secret parameterx∈for serverSand the format for identityIDof a user.

6.KIC⇒S:{d,x,ID format}.

The private keyd,secret parameterx,and format of a user’sIDshould be safely provided to the serverS.KIC is no longer needed once the system is set up,except during the registration phase when new users request to join.The integer pairpandqwill not be used anymore and should be disposed of securely.

3.2 Registration Phase

In the registration phase,a new userUiperforms the following steps.

The KIC then performs the following steps.

After receiving the smart cardSCi,Uiperforms the following steps.

Fig.2 depicts an overview of the proposed RPA scheme’s phases.

3.3 Login Phase

When a registered userUiwants to access the serverS,the userUiinserts the smart cardSCiinto a remote terminal.The user then enters the identityIDiand passwordpwi.The following steps are taken by the smart cardSCi.

Figure 2:Overview of the proposed RPA scheme

3.4 Authentication Phase

Once the serverSreceives the login message request at the timeTS,it proceeds with the following steps.

1.Check(TS-TU) ＜ΔT, whereΔTis the allowed time transmission.If the time difference does not hold,the login request is rejected.

2.Computew=h(d||x).

3.ExtractIDiby computingIDi=DIDi⊕w.

4.Check the validity of the format forIDi.If the format ofIDiis invalid, the login request is rejected.

Once the userUireceives the response message at the timeTc,the user then performs the following steps.

Once the session keySKis established,the userUiand serverScan communicate with each other immediately.This step completes the mutual authentication process and eliminates the risk of the man-in-the-middle attack.

3.5 Password Change Phase

This phase enables the userUito change or update the password independently without interacting with the KIC or the serverS.When changing the password,the userUiinserts the smart cardSCiinto the terminal and enters the identityIDiand passwordpwi.The following steps are conducted by the smart cardSCi.

If userUi’s smart cardSCiis lost or stolen,the userUimust re-register with the KIC.Then,the KIC should issue a new smart card for the userUifollowing the steps outlined in the registration phase.

3.6 Proof of Correctness

The propositions and proofs of correctness are presented below for the sake of completeness of the proposed scheme.

Proposition 1.If userUienters the correct identityIDiand passwordpwi,and Steps 1 and 2 of the login phase run well,the local user verification equation in Step 3 of the login phase will always hold.The proof is shown below.

Proposition 2.If all the login phase steps and Steps 1–5 of the authentication phase run well,and the login message{n,e,DIDi,Xi,Yi,TU}is properly generated,then the user authentication equation in Step 6 of the authentication phase will always hold,as shown below.

Proposition 3.If all the steps in the authentication phase(Steps 1–10)run well and the response message {Ri,TS} is properly generated, then the server authentication equation in Step 11 of the authentication phase will always be true,as shown below.

4 Security Analysis of the Proposed Scheme

This section presents the formal security proof that the proposed scheme is provably secure against an adversaryAfor deriving the private keyd, secret parameterx, identityIDi, passwordpwi, and shared session keySK.The proposed scheme is also shown to provide the desired security attributes.

4.1 Formal Security Proof

The formal security analysis of the proposed scheme,which is based on the random oracle model,is explained below.Specifically, the proposed scheme’s formal security proof adopted the approach taken by[22,37–39].To begin,the formal definitions of the collision-resistant cryptographic one-way hash function[39],IFP[22]and DLP[40,41]are given.

Definition 1.A secure collision-resistant one-way hash function

is a deterministic algorithm that takes an arbitrary length inputx∈{0,1}*binary string and yields a fixed-lengthl-bit binary string outputh(x)∈{0,1}l.

An adversaryA’s advantage in finding a collision is given as

where Pr[E] is the probability of an eventEin a random experiment and(x1,x2)⇐RAdenotes a randomly selected pair(x1,x2)by the adversaryA.As a result,the adversaryAcan be probabilistic.The adversaryAcomputes the probability in the advantage over the random choices with the execution timet1.If1)≤ε1, for any sufficiently smallε1＞0, the one-way functionh(·)is collisionresistant.

Definition 2.Assume thatGenFis a polynomial time algorithm with input security parameter 1ρand outputs(n,p,q),wheren=p×q,andpandqareρ-bit distinct primes.Givenn,the integer factorisation assumption relative toGenFstates that it is computationally infeasible to derive the prime factorspandq,except with a negligible probability inρ.

For any adversaryAof probabilistic-polynomial time(PPT),its factorisation advantage is given by

Algorithm 1:EXPDLP G,g (A)1: Select u∈RZn 2: Compute U ←gu mod n 3: Compute u* ←A(U)4: if gu* =U mod n then 5: return 1(Success)6: else 7: return 0(Failure)8: end if

The DLP advantage of algorithmAwith execution timetis defined as

If the DLP advantage of any adversaryAin terms of time complexity is small,the DLP is hard inG.Hence,DLP is computationally infeasible if≤εDLP,for any sufficiently smallεDLP ＞0.

For this security proof,the adversaryAis assumed to have access to the following three random oracles listed below.

■OracleH:This oracle outputs the stringxfrom a hash valuey=h(x).

■OracleF:This oracle outputs the private keydof the serverSfrom the valuesnande.

■OracleD:This oracle outputs the valuex∈Znfrom the valueh=gxmodn,wheregis the generator inGof ordern.

The three theorems and proof of formal security analysis are then presented as follows.

Theorem 1.If the cryptographic one-way hash functionh(·)behaves like a true random oracle,and integer factorisation and discrete logarithm are computationally hard problems,then the proposed RPA scheme is provably secure against an adversary A for deriving the private key d and secret parameter x of server S.

Proof.Initially, an adversaryAis constructed with the ability to derive private keydand secret parameterxof the serverSby running the algorithm, as shown in Algorithm 2 for the proposed RPA scheme.ByAssumption A2,suppose that the adversaryAcan extract{n,e,g,ji,vi,Si,hi,from the smart card using power monitoring techniques.ByAssumption A1, it is further assumed that the adversaryAintercepts login message{n,e,DIDi,Xi,Yi,TU}and response message{Ri,TS}at the timeTUandTS,respectively.

Algorithm 2:ALGOracle A,PAS for deriving private key d and secret parameter x of server S Input:n,e,g,ji,vi,Si,hi,DIDi,Xi,Yi,TU Output:0 or 1 1: Compute CIDi =Se i mod n 2: Call OracleH on input CIDi to retrieve identity ID*i and secret parameter x* as(ID*i||x*) ←OracleH(CIDi)3: Compute h(IDi||hpwi)=ji ⊕hi 4: Call OracleH on input h(IDi||hpwi) to retrieve identity ID**i and hpw*i as (ID**i ||hpw*i) ←OracleH(h(IDi||hpwi))5: if ID*i images/BZ_15_1302_2457_1339_2503.pngID**i then 6: return 0(Failure)7: else 8: Compute w=h(IDi||hpwi)⊕vi and w* =DIDi ⊕ID*i 9: Call OracleH on input w to retrieve the private key d* and secret parameter x** as(d*||x**)←OracleH(w)10: Call OracleF on input e and n to retrieve the private key d**as d** ←OracleF(e,n)11: if w=w*and d* =d**then 12: Call OracleD on input hi,g,ID*i,and d* to retrieve the secret parameter x*** as x*** ←OracleD(hi,g,ID*i,d*)13: if x* =x** =x***then 14: if Ye i =CIDi·Xh(IDi||TU)·d·x i mod n then 15: Accept d* and x* as the correct private key and secret parameter of server S,respectively return 1(Success)16: else 17: return 0(Failure)18: end if 19: else 20: return 0(Failure)21: end if 22: else 23: return 0(Failure)24: end if 25: end if

Algorithm 3:ALG2Oracle A,PAS for deriving identity IDi and password pwi of user Ui Input:n,e,ji,Si,hi, ˆbi Output:0 or 1 1: Compute CIDi =Se i mod n 2: Call OracleH on input CIDi to retrieve identity ID*i and secret parameter x* as (ID*i||x*) ←OracleH(CIDi)3: Compute h(IDi||hpwi)=ji ⊕hi 4: Call OracleH on input h(IDi||hpwi) to retrieve identity ID**i and hpw*i as (ID**i ||hpw*i) ←OracleH(h(IDi||hpwi))5: if ID*i images/BZ_15_1302_2457_1339_2503.pngID**i then 6: return 0(Failure)7: else 8: Call OracleH on input hpw*i to retrieve the identity pw*i and b*i as (pw*i||b*i) ←OracleH(hpw*i)9: Compute ˆb*i =h(ID*i||pw*i)⊕b*i 10: if ˆb*i = ˆbi then 11: Accept ID*i and pw*i as the correct identity and password of user Ui,respectively return 1(Success)12: else 13: return 0(Failure)14: end if 15: end if

Theorem 3.If the cryptographic one-way hash functionh(·)behaves like a true random oracle,then the proposed RPA scheme is provably secure against an adversary A for deriving the shared session key SK between user Ui and server S.

Algorithm 4:ALG3Oracle A,PAS for deriving session key SK shared between user Ui and server S Input:n,e,ji,vi,Si,hi,DIDi,Xi,Yi,TU,Ri,TS Output:0 or 1 1: Compute CIDi =Se i mod n 2: Call OracleH on input CIDi to retrieve identity ID*i and secret parameter x* as (ID*i||x*) ←OracleH(CIDi)3: Compute h(IDi||hpwi)=ji ⊕hi and w=h(IDi||hpwi)⊕vi 4: Call OracleH on input h(IDi||hpwi) to retrieve identity ID**i and hpw*i as (ID**i ||hpw*i) ←OracleH(h(IDi||hpwi))5: if ID*i images/BZ_15_1302_2457_1339_2503.pngID**i then 6: return 0(Failure)7: else 8: Compute w* =DIDi ⊕ID*i and Z*i =h(ID*i||TS)9: if w=w*and Z*i =Re i mod n then 10: Successfully compute the session key SK = h(ID*i Z*i w*TUTS) shared between user Ui and server S return 1(Success)11: else 12: return 0(Failure)13: end if 14: end if

4.2 Security Attributes

This section further analyses the security attributes offered by the proposed RPA scheme.

4.2.1 No Data Storage in Server S

The proposed scheme preserves the “no data storage”feature of Kumari et al.[16] scheme.By using the information provided by the login message request,private keyd,and secret parameterx,the serverScan perform all the calculations to authenticate the validity of the userUi.

4.2.2 Mutual Authentication

4.2.3 Session Key Agreement

After completing the mutual authentication process,both the userUiand serverSwill establish a shared session keySK=h(IDiZiwTUTS).Since the adversaryAdoes not knowIDi,Zi,andw,the session keySKcannot be directly computed due to the cryptographic collision-resistant one-way hash function.As a result,the proposed scheme can protect the secrecy of shared session keys.

4.2.4 User Anonymity

According toAssumption A2,the adversaryAmay extract information{n,e,g,ji,vi,Si,hi,}from the smart cardSCi.The identityIDiis contained in the parametersji,vi,Si, andhi.Nevertheless,the adversaryAis unable to derive identityIDisince the adversaryAneeds to invert the output of a collision-resistant one-way hash function.This is only possible for an adversary with a negligible probability in polynomial time,as proven in Theorem 2.As a result,the proposed scheme can preserve user anonymity.

4.2.5 Local Password Verification

The proposed scheme offers an incorrect input detection feature.Before logging into the serverS,the smart cardSCiverifies the legality of identityIDiand passwordpwi.The verification equationji⊕hi=h(IDi||hpwi)will detect if a userUiinputs the identityIDior passwordpwi,or both incorrectly by mistake.Without knowingIDi,pwi,andbi,the adversaryAis unable to correctly calculateh(IDi||hpwi)and subsequently,the verificationji⊕hi=h(IDi||hpwi)will fail.Therefore,the proposed scheme can block illegal access using local password verification.

4.2.6 Password Changeability

The extra“password change”phase in the proposed scheme grants users the convenience to change or update their passwords locally.This phase can be done without interacting with the KIC or the serverS.

4.2.7 User-Friendliness

The proposed scheme permits the userUito freely choose the identityIDiand passwordpwi.The userUican easily change or update the passwordpwiwithout communicating with serverSwithin minimal time without having to go through the registration phase.As a result,the proposed scheme is hassle-free and user-friendly.

5 Performance Comparison and Analysis

The endorsement of a new RPA scheme should be supported by careful analysis of its performance.For this purpose, the proposed scheme was compared with similar RPA schemes [4,15,16].These schemes are chosen according to the security attributes offered,which are mutual authentication and no data storage in the server.Furthermore,since the aim of this study is to propose an efficient RPA scheme,it is considerable to compare its performance to the most recent scheme by Kumari et al.[16]that is found in the literature.The security attributes and efficiency of all schemes considered are investigated in this section.

Tab.2 compares all schemes based on the security attributes discussed in Section 4.According to Tab.2,the proposed scheme and the scheme by Kumari et al.[16]outperformed the schemes by Shen et al.[4] and Awasthi et al.[15].All of the security attributes of [16] were retained in the proposed scheme,including no storage of data in serverS,mutual authentication,session key agreement,user anonymity, local password verification, password changeability, and user-friendliness.Furthermore,unlike the other schemes, the proposed scheme includes a formal security analysis.As a result, the proposed RPA scheme outperformed other considered schemes in terms of security attributes.

Table 2: Comparison of schemes based on security attributes

Table 2:Continued

The assessment assumptions for the efficiency analysis were based on[17,29].Assuming that each value of {IDi,pwi,bi,ri} is 160-bit long, the output message digests of secure one-way hash function(SHA-256 [28]) {CIDi,DIDi,SK,w,hpwi,vi,ji,} are 256-bit long, and the timestamps {TU,TS,Tc}are 32-bit long.The modular operation of modnis 2048-bit long, and the modular exponentiation is regarded as the most expensive operation.Hence, the values {n,e,d,Si,hi,Xi,Yi,Ri} are 2048-bit and{x,g}are 1024-bit.The exclusive OR(⊕)operation involves very few computations and hence is negligible.The time complexity with the exponential operation(Te),modular multiplication operation(Tm),hashing operation(Th),and exclusive OR operation(⊕)can be roughly expressed asTe≫Tm≈Th ＞⊕.For ease of time complexity comparison between schemes,the approximation of execution time complexity ofTeandThin terms ofTmis assumed asTe≈240TmandTh≈Tm[42].Tab.3 shows the transmission/computational cost and time complexity for all considered schemes.

Table 3: Comparison of schemes based on transmission/computation cost and time complexity

In the proposed scheme,the parameters{n,e,g,ji,vi,Si,hi,}are stored within the smart cardSCi.The memory storage required for the smart card isC1=(4 ×2048)+(1024)+(3 ×256)= 9984-bit, which is the highest among other schemes, particularly 352-bit more than Shen et al.[4].The transmission costC2is the memory space of the login message, {n,e,DIDi,Xi,Yi,TU} and response message, {Ri,TS} that are exchanged during the login and authentication phases.For the proposed scheme,itsC2=(5×2048)+(256)+(2×32)=10560-bit,which is the lowest among other schemes,particularly 928-bit less than Awasthi et al.[15].The computational costC3is the total time complexity of operations executed during the registration phase,C3=2Te+2Tm+5Th.The computational cost of smart cardSCiand serverSareC4=3Te+4Tm+6ThandC5=3Te+3Tm+5Th,respectively(exhibit the time spent during the authentication phase and session key agreement).

Based on Tab.3, the total computational costs (C3+C4+C5) of the schemes of Shen et al.[4]and Awasthi et al.[15]are both 8Te+5Tm+6Th≈1931Tm.While,the total computational costs for schemes of Kumari et al.[16]and the proposed scheme are 10Te+5Tm+18Th≈2433Tmand 8Te+9Tm+16Th≈1945Tm,respectively.Compared with the schemes by Shen et al.[4]and Awasthi et al.[15],the proposed scheme is less efficient with 14Tmhigher computational cost.In Fig.3,the bar chart presents the efficiency of the proposed scheme over other considered schemes.It is clear that the proposed scheme is more efficient than Kumari et al.[16].The total computational cost of Kumari et al.[16]has been significantly reduced by 20%in the proposed scheme.

Figure 3:Comparison of schemes based on total computational cost(C3+C4+C5)

As provided in Tab.2, both the proposed scheme and Kumari et al.[16] require extra steps for session key agreement,which explains the higher computational cost when compared to the schemes by Shen et al.[4]and Awasthi et al.[15]in Tab.3.It is worth noting that,as shown in Tab.3,the proposed scheme requires larger smart card memory storage,particularly 3480-bit more than Kumari et al.[16].However,this is justified because the proposed RPA scheme significantly reduced the transmission cost by 1024-bit as compared to Kumari et al.[16].Additionally,the total computational cost improved to 1945Tm,which is 488Tmless than Kumari et al.[16].Based on the security attributes,communication cost, and time complexity, it can be concluded that the proposed scheme outperformed all other schemes considered.

6 Application

This section discusses the proposed approach’s potential applicability in developing a UI scheme.The UI scheme can be considered a simpler algorithm used to distinguish unique users prior to the authentication process.Most RPA schemes require two or more factors(e.g.,password,smart card,and fingerprint),whereas UI schemes just need the user’s identity.Figs.4a and 4b show the flowcharts for the RPA and UI schemes,respectively.At a glance,the phases in the RPA and UI schemes appear similar,except that the UI scheme does not require a login phase.Some parameters can be removed while retaining the cryptographic primitives of IFP and DLP, depending on the security goals and purposes.Therefore, it would be interesting to investigate the prospect of converting the proposed RPA scheme into an improved UI scheme with provable security.

Figure 4:Process flowchart for RPA and UI schemes(a)RPA scheme(b)UI scheme

7 Conclusion

The aim of this study is to primarily propose an efficient RPA scheme that offers session key establishment between user and server.The widely established Dolev-Yao adversary model was considered in the development of the proposed scheme,which attained the desired security attributes of Kumari et al., such as no data storage in serverS, user anonymity, local password verification,password changeability, and user-friendliness.Furthermore, as the main contribution, a formal security proof of the proposed scheme was presented based on the random oracle model using formal definitions of IFP and DLP.Although the proposed scheme required higher smart card memory than other similar schemes by Shen et al., Awasthi et al.and Kumari et al., this was acceptable owing to its much-reduced transmission/computation cost and time complexity than Kumari et al.’s scheme.The performance analysis proved that the proposed RPA scheme is noticeably better than Kumari et al.,given that it can provide the same security attributes.Future work will investigate the use of two cryptographic primitives(IFP and DLP)in the development of UI schemes.Since the phases in RPA and UI schemes are similar,it would be interesting to examine the potential application,particularly in terms of security and performance.Expectantly, this should aid in the design of an efficient and provably secure UI scheme.

Acknowledgement:Authors are grateful for the support from Universiti Teknologi MARA(UiTM)and Universiti Kebangsaan Malaysia (UKM) for providing the facilities and resources, and UiTM/KPT-SLAB scholarship from the Ministry of Higher Education Malaysia (MOHE).In addition,the authors would like to thank anonymous reviewers for their comments and suggestions to improve this manuscript.

Funding Statement:This research is funded by UKM under Grant No.GUP-2020-029.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.