An anonymous authenticated key-agreement scheme for multi-server infrastructure

Due to single-time registration, the multi-server authentication provides benefit for getting services from different servers through trusted agent. Generally, users feel hesitation for registering themselves individually with all service providers due to the problem of memorizing the multiple passwords. The multi-server authentication allows a quick access to services by real-time customer validation on public channel. Thereafter, hundreds of multi-server authentication protocols have been introduced. However, the more efficient and robust authentication schemes are being explored by the research academia. We introduce an anonymous scheme that resists the major security threats like impersonation attack, insider attack and password modification attacks in viable computing cost. We use random oracle model for formal security analysis of the proposed scheme. The performance analysis shows that the proposed scheme incurs less computation, energy, communication and storage cost as compared to related protocols. This analysis and comparison show that our proposed scheme is quite effective for the purpose of anonymous authentication and key agreement.

Introduction made improvements to the authentication method [26][27][28]. Additionally, some protocols have begun to use biometrics to ensure security [29]. The above discussion shows that designing the protocol for multi-server infrastructures to meet security requirements is a serious task. All current solutions are neither immune to all known attacks, nor they can guarantee the consumption of their own computations. Section III demonstrates our proposed scheme. Security and performance analysis are illustrated in Section IV and V, respectively. Presented work is concluded in last Section VI.

Our contribution
An anonymous three factor authentication protocol is introduced in this paper and the authentication of users with the help of biometric impression is enhanced. We encompass our contributions as follows.
1. First, we introduce an ECC based three-factor user authenticated key-agreement protocol. 2. Second, if smart card can be forged by an adversary, then the environment of user cannot be secure. In our introduced protocol, the verification of biometric impression of users can be done by the client as well as by the server; in some specific applications it can provide security protection for specific requirements. RC and server have separate responsibilities, as RC is involved in authentication phase. RC retains the privacy of registration and server validates the client for further service providing; it can make the protocol more scalable for multi-server the architecture. 3. Finally, our protocol offers the mutual authentication for each pair of three participants (server, user and RC) for providing strong protection by identifying as possible replay messages.

Preliminaries
The hash functions, elliptic curve cryptography, adversarial model which is used in this paper are stated in this section. Whereas, Table 1 is presenting the common notations, used in rest of the article.

Hash functions
By taking an input string O = H (String) of random size, a fixed size output is generated by hash. Generated output is called hash code. A little change in the value of string can cause a huge difference. Whereas, a secure one way hash function has following specifications: • If the string is described, it is easy to find O = H(String).
• It is impossible to find out the string, if O = H(String) is illustrated. • It is mundane task to distinguish input of String 1 and String 2 so that H (String 1 ) = H (String 2 ) . This feature is called collision resistance.
Definition 1 (Characteristics of collision Resistance) Secure hash function H(.) is predetermined for collision resistance. The possibility that an attacker A can find a pair (String 1 = String 2 ) as H (String 1 ) = H(String 2 ) is separated as Advs HASH where attacker is allowed to select a pair (String 1 , String 2 ) randomly. Attacker's perk is calculated against the randomly selections taken up with-in polynomial time (t). The collision resistance conclude that Advs HASH A (t) ≤∈ , whereas ∈> 0 , is an enough tiny value.

Elliptic-curve cryptography(ECC)
The Elliptic-curve equation is defined in the form E p (e, f ) : c 2 = d 3 + ed + f over a prime finite field (d, c) ∈ W * P × W P , e, f and 4e 3 + 27f 2 � = 0 (mod P). Where P is a selected huge prime number, the size of P is ≥ 160 bits. Scalar product is gained by repeated addition e.g. nP = P + P + P + ... + P(ntimes) , over a determined t which a point on E P (e, f ) and the multiplier n. The variables (e, f, t, P, n) should be a part of limited field F P . E is supposed to be the abelian group. Whereas O, is stated as the ID's infinity point.
Definition 2 (Logarithmic issues in ECDLP) ECDLP: is given two specified points over R, V ∈ E P (e, f ) , calculate n a scalar so that R = nV . The chances that attacker A can compute n in polynomial time(T) are described as Advs ECDLP ECDLP assumption concludes that Advs ECDLP x (T ) ≤∈.

Adversarial model
The familiar adversarial model is deliberated in this paper, as specified in [2,30]. Where the following considerations are followed as per the expertise of the adversary Advs: 1. Advs have full control over the public communication channel. Advs is adept to eliminate, amend, rerun, interrupt or can send a new replicated message. 2. The information stored in the smart card can be excerpted by Advs, by doing power analysis. 3. Advs can be a deceitful or intruder user or service provider of the system. 4. The identities of registered servers and users are not private but familiar to insiders. 5. The attack on server cannot be launched by Advs because the server is assumed to be secured.

Proposed scheme
We propose an anonymous multi-server authentication protocol in this section. Although, proposed protocol brings more computation at server side, but server is usually assumed to have sufficient resources. Therefore, server can easily manages these extra computations in order to lower the computation cost on user side. The scheme is based on multi-server architecture which involves user(U u ) , server(S j ) and registration center(RC). RC provides facility for user registration and further helps to give services from server. RC selects its master secret key x to register all users. Like former schemes, the proposed scheme has also three stages: the authentication, registration and password change stage. The proposed protocol is shown in Fig. 2 and described in the below subsections.

Server registration phase
To become legitimate server S j , the server needs to register with RC by following these steps.
SR Step1: S j selects his identity ID j and sends to RC through secure channel. SR Step2: After receiving ID j , RC calculates s = h(ID j �x) , pk S j = sP and pk RC = xP where x is secret key maintained by RC. SR Step3: After that, RC sends s, pk S j , pk RC to server S j and aborts the registration.

User registration phase
U u performs the following operations with RC to become the legal user of the network.
UR Step1: User selects his identity ID u , password PW u , biometric impression B u and generates an arbitrary nonce a. Then user determines M = H(ID u �B u ) ,

Fig. 2 Proposed Scheme
TW = h(a ⊕ H (B u �PW u )) and sends ID u , M, TW to RC for completing the registration. UR Step2: After that RC determines X u = h(ID u �pk RC ) , Y u = X u ⊕ h(M�TW ) and F u = h(h(ID u �TW )), then RC stores h(), Y u , F u in smart card and sends (SC u ) towards U u . UR Step3: U u further adds a number a into SC u . Now smart card have {h(), Y u , F u , a}.

Login and authentication phase
In this phase, authenticated access is granted to user U u for accessing service providers S j . U u and S j authenticate themselves in following steps.
LAP Step1: U u inputs ID u , password PW u and scan biometric impression in scanner. Then smart card determines TW = h(a ⊕ H(B u �PW u )) and checks whether and If it holds true, then RC creates arbitrary nonce D j and determines . U u sends M 3 = Z uj towards S j so that it can check the challenge based on D j . LAP Step5: After getting M 3 , the server S j determines SK uj = h(ID u �C u P�D j �X u �ID j ) .
After that, it justifies the equation i.e. h(SK uj �ID u �C u P�X u �ID j ) ? =Z uj . Finally, on successful justification, server exchanges the session-key SK with user as h(ID u C u P D j X u ID j ) . The description of this protocol can be endorsed from Fig. 2.

Password changing phase
U u may change his password into another new password (PW n u ) by using these steps. These steps are as follows: PC Step1: Initially, user input identity ID * u , password(PW * u ) and scan biometric impression factor after inserting smart card (SC) into reader. After that, SC determines TW = h(a ⊕ h(B u �PW u )) and justify F u ? =h(h(ID u �TW )) . If it holds true then user will follow next step. PC Step2: Subsequently, SC determines TW = h(a ⊕ h(B u �PW u )) and calculates . PC Step3: Afterwards, when user will change password ( PWi n ). The smart card ). PC Step4: Then the values X u , Y u , and F u are changed by X n u , Y n u , F n u in smart card.

Revocation/re-registration phase
In this section, we show that if U u 's smart card has been stolen or his account has been revoked then he can request for reregistration. For this purpose he must follow subsequent steps: RP Step1: (U u ) engenders a random number a * , a new password PW * u , and biometric B * u of his/her own choice. Then calculates M * = H(ID u �B * u ) and TW * = h(a * ⊕ H (B * u �PW * u )) and submits request message {ID u , M * , TW * } to the registration centre (RC) through a secure path. RP Step2: On receiving request message {ID u , M * , TW * } from (U u ) , RC will first verify whether (U u ) is already a registered user or not from the verifier table. If a match is not found in the database, the RC will reject the request. RP Step3: RC then embeds the security parameters {h(), Y * u , F * u } in a new SC * u into the smart card and sends the new smart card to the user (U u ) through secure path. RP Step4: U u takes new smart card SC * u and embeds a * into it. The phase is shown in Fig. 3.

Security analysis
In this section, informal and formal security analysis are presented. The security analysis highlights that the proposed scheme is safe and secure against various possible attacks.

Informal security
In this section, a comprehensive informal security analysis of contributed protocol is presented.

Correct notion of user anonymity
In several authentication schemes for multi-server environment, the server is usually unable to identify the identity of a user requesting for login. In our view, such notion of perfect anonymity is erroneous and not desirable in any environment, because if the server is unable to know a user's identity, he will be unable to provide the specific services to the user. In fact in this, any user can continue to get the services provided by the service provider even if he is not registered to the network or his lease has been expired. However, in proposed protocol, instead of user's identity ID u , a dynamic-pseudo identity PID u is sent during each authentication request message, to S j . Furthermore, user's identity ID u can only be extracted using server's private key s. In addition, by analyzing two different session, an adversary will remain unable to guess whether the same user has initiated session. Hence, in this way our introduced protocol provides user's anonymity and untraceability.

Replay attack
In this flaw, the retrieved messages are restored without endure transformation to deceive any legitimate user [31][32][33][34]. Adversary can get the parameters PID u , DID u , O p , Q uj , T u , V j and try to endure these parameters in request to forge the legal member. However, if an adversary retrieves contents, he cannot initiate an attack because C u and D j is created by legitimate member for every session. Similarly, if an adversary endeavors to replay M 1 = PID u , DID u , O p toward server, server verifies the validity of user in M 3 , in reply to the challenge based on D j . Synchronously, the legitimate user validates S j in M 2 to response to the M 1 based challenge C u . Hence the contributed protocol thwart replay attack.

Stolen smart card attack with offline dictionary
In stolen smart card attack with offline dictionary, the attacker tries different sequences of dictionary ingredients using stolen SC credentials [35][36][37]. An attacker may attempts to exploit with its feasible parameters of SC i.e h(), Y u , F u . For estimating the PW u from Y u and F u parameters, adversary needs to perceive ID u , a and B u to estimate PW u from TW where TW = h(a ⊕ h(B u �PW u )) . Furthermore, this attack cannot initiate in polynomial time using smart card.

Known-key security
Known-key security provides the confidentiality of private keys even with exposed session key for a particular session [38,39]. Given that the specific session-key SK uj = h(ID u �C u P�D j �X u �ID j ) does not hold U ′ u s password PW ′ u s as a parameter. Owing it to, the adversary may not discover the parameters from derived session key. Hence, the contributed protocol offers known-key security.

Mutual authentication
Mutual authentication is provided by the enhanced scheme because the legitimate participants verify each other and thus it ensure mutual authentication strongly. This property makes our protocol secure and provides the early detection of possible attacks like replay attacks.

Masquerading attack
According to this attack, an attacker can masquerade one member of a specific session, if it reveals another member's key of the current session. The contributed protocol is immune to key-compromise impersonation threat in contrary to scheme, [23] as the contents of stolen card will not help the attacker to get other constructive parameters, such as X u . Hence, the attacker cannot obtain newly generated Q uj factor and ultimately impersonation attack cannot be initiated.

Stolen verifier attack
The adversary misuses valued data which is stored at server's side and user's privates like passwords or other parameter, masquerade as legal users. The contributed protocol offers mutual authentication without maintaining repository on S j and RC's side. This shows that our scheme is withstand stolen verifier attack.

Password guessing attack
The guessing attack is applicable, if an adversary accesses the parameters PID u , DID u , O p , Q uj , T u , V j on little analysis of any open channel. Nonetheless, an adversary cannot extract the password, after all it is not use as a factor for the computation of any contents, hence it minimizes the chances of estimating the consistent factors.

Modification attacks
The adversary changes the retrieving parameters and submit to promise party. In case, the scheme is designed to resist against modification threat. If the adversary attempts to change the public contents PID u , DID u , O p , Q uj , T u , V j , adversary will not able reassemble following parameters PID u , DID u , O p by introducing recent session arbitrary variables, since to assemble these parameters acquires the information of secret key and X u which knows to legal member. Consequently, the legal member can expose any venomous member easily. So, the enhanced scheme can easily discourage this attack.

Formal security analysis
We have described model of security for presented protocol in this section. Furthermore, using given model of security the presented protocol is proved safe against known attacks. At the end, the proposed protocol is described to fulfill all the necessary requirements that relates to the security of the presented protocol.
Theorem THM1 Consider D i as a uniformly distributed dictionary consists of various possible passwords. |D| denotes the size of D i . Consider A as an adversary against semantic security within a time bound t. Suppose a ECCDH problem stands, then we have D i is considered as evenly distributed dictionary which consists of numerous passwords that can be possible. The size of D i is denoted by |D|. A is considered as an adversary against syntactic security in a time bound t. If a ECCDH problem occurs, then we have where the possibility of solving the ECCDH problem by A, is denoted by A ECCDH . The number of Execute, Random-oracle and Send query are {q exe , q hsh , q snd } , respectively.
Proof In order to give the proof of Theorem THM1, six composite games are considered from game G 1 to G 6 . The game will be started where the real attack is simulated and a game will be ended where adversary A has no advantage. The possibility of successfully guessing the random bit b in test-query by A is denoted by Suc i for each game G i , where 1≤i≤6 . GAME G 1 : In this random oracle model, the real attacks are simulated with the help of this game. In game G 1 , every instance like U u , S j and RC will be modeled as authentic executions. As per the definition of Suc1, we get following equation. GAME G 2 : Multiple oracles like hash oracle h Execute, Corrupt, Reveal, Send and Test are simulated with G 2 . Hash oracle is simulated by game G 2 by maintaining a hash list h list , h list comprises on queries entries as (input, output). When a hash query is answered by hash oracle, then it returns the corresponding output if there is any existing query (input, output) in h list , else it will return value from 0, 1. Moreover, corrupt, reveal, send and Test queries will be run as real attacks. Thread model is used to specify the actual actions of all these queries. This simulation indicates that game G 2 is perfectly secured from the real attacks. Thus, we have (3) Pr(Suc2) = Pr(Suc1) GAME G 3 : This game consists on all possible executions of ROM as elaborated in game G 2 except that it will be discarded when some collision occured in the simulation of all hash queries, that are inquired by the adversary A. So, this game helps to avoid from collision to be occurred in ciphertext, password and output of Send-queries. By the definition of birthday paradox, the chances of occuring collision in hash oracle is q 2 exe 2p . Thats why the chances of occuring collision in game G 3 is (q hsh +q exe ) 2 2p . For this simulations, we achieved following equation GAME G 4 : This game consists on all possible executions of ROM as elaborated in game G 3 but it will be discarded after the successful guessing of X u by adversary A without asking the hash oracle h. This game is similar all previous games unless the instances i U and j S S j reject the actual authentication value. From game G 4 , we get following equation GAME G 5 : This game indicates that if adversary guesses the session key directly without knowing and inquiring about hash oracle h then this game will be terminated. It enables the session key to be independent with {PW u , B u } and random numbers as well as point multiplication C u , D j , P . G 4 . This game will be aborted after the inquiring common value X u . Thus, A ECCDH � (A)≤ 1 q hsh |Pr(Suc5) − Pr(Suc4)| − 1 p and we have GAME G 6 : This game consists on all possible executions of ROM as elaborated in game G 5 except the rule if follow in Test query. G 5 will be aborted when A queries about hash oracle that is identical values C u , D j , P . The chance of adversary A getting the correct session-key by hash-query is at most 2p . Thus, we have Until adversary A does not enter correct value into the random oracle h, the random oracle will remain indistinguishable against real attack. That's why A does not have any advantage of identifying the legal session key from random oracle attempt. Furthermore, when corrupt query is performed, not more than 3 queries can be performed simultaneously. It means that if smart card corrupt and biometric corrupt ( i U ,3), ( i U ,4) are performed then password corrupt (( i U ,2)) cannot be performed this is the reason that success rate of off-line password guessing attack is q 2 snd D . By combining all the equations from G 1 to G 6 , we get following equation 2p .

Performance analysis
In this section, the robustness of proposed protocol is assessed with respect to other schemes [20][21][22][23]25] based on multi server architecture. The security traits and the scrutiny of defending to numerous attacks for different schemes are described in Table 2, in which the proposed protocol is signified as a strong corroborated key-agreement in contrast to former schemes. Table 2 presents the analysis of our schemes with related schemes [20][21][22][23]25]. As per the analysis, we can conclude that our protocol is more secure than [20][21][22][23]25]. All these protocols depend upon hash-based symmetric cryptography and similar in nature.  Later, the performance analysis of our authenticated protocol in terms of cost has been analyzed. The specification and description for the implementation is as follows; the implementation of the cryptographic functions (T ⊕ , T � , T h(.) , P m ) is done by using py-crypto library inside ubuntu 19.04, with 16.0 GB RAM and 3.60 GHz processor core i7 with the help of python programming language. The execution of authentication scheme is done under same assumptions for 10 times by averaging. Some functions like (T � , T ⊕ ) have not been considered because they acquires negligible execution time. The execution time for h(.), H(.) and point multiplication operations is 0.0120 ms, 0.015 ms and 0.02957 ms, respectively. The communication, energy requirements, storage and computation cost of our scheme with respect to related protocols is presented in Table 3. The time for execution of considered cryptographic functions are assumed as follows:  It is observed the computation cost of our proposed scheme is higher than [20][21][22][23]25] schemes but it offers aided security features. Furthermore, the mandatory security objectives are achieved by our protocol in less cost than Hsiang and Shih's scheme. Moreover, the proposed protocol (contrasting with former protocols) is secure to smart card stolen, password guessing and insider attacks.

(8)
We have determined cost comparison in Table 3, which are later elaborated by drawing Figs. 4, 5, 6 and 7. The cost of computation for proposed and relevant schemes is showcased in Fig. 4. The number of verifiers of our proposed and existing protocols are shown horizontally and required computation time according to the number of verifiers  is shown vertically in the graph. It can be observed that computation cost of our protocol is far less than the related schemes..
Energy consumption can be calculated as E c = T cc P CPU , where T cc is the total computation cost for a single hash function (0.054 mJ), P CPU is the maximum power (65 W) of CPU and E c is the energy consumption [40]. Power consumption can be used to give a rough estimate of energy consumed during computation. Moreover, we have examined the protocol with respect to energy consumption by considering computation cost of energy for SHA-1 as 0.54 mJ for single byte [41] shown in Fig. 5. By Considering this, the consumption of energy for the [20][21][22][23]25] and our scheme amounts to 1.64 mJ, 0.98mJ, 1.10 mJ, 1.05 mJ, 1.24 mJ and 0.91mJ, respectively. The final energy consumption determined values of proposed and related schemes are given in Table 3. Hence, it can be calculated that the energy consumption of proposed scheme is less than related schemes.
The assumptions made for determining the communication and storage cost are as follows: 160 bits are reserved for random nonce, timestamps, password and identity, 256 bits are for one way hash function and for public key, 512 bits. The calculations of storage and communication cost of our and related schemes on the basis of above mentioned assumptions are presented in Table 3.
The cost of communication for proposed and relevant schemes is presented in Fig. 6. The proposed and related schemes are given horizontally, while the required number of communication bits are shown vertically in the graph. It is observed that the number of communication bits of proposed scheme is slightly greater than related schemes but our scheme provides more security traits. The storage cost of proposed and related schemes is displayed in Fig. 7. The vertically labeled values on the graph are for the required number of storage bits, while proposed and related schemes are listed horizontally.
The storage bits of our scheme is slightly greater than the related protocol. This is just because of providing more security features for making secure protocol. After analyzing Tables 2 and 3, we can say that the computation time of our scheme is less than the related schemes and also provides more security traits with slightly higher communication and storage costs.

Conclusion
The robustness of multi-server authentication is observed as an important requisite for the current remote based authentication paradigm. Recently, extensive research has been conducted for developing robust authentication protocols for multi-server authentication environment. In this paper, we proposed an anonymous multi-server authentication scheme. The flaws of previous schemes are kept in mind in order to develop the proposed scheme with enhanced security features. The analysis of performance evaluation and formal security is also described in this paper against various schemes. This analysis also shows that our scheme provides more security features.