A provably-secure ECC-based authentication scheme for wireless sensor networks.

A smart-card-based user authentication scheme for wireless sensor networks (in short, a SUA-WSN scheme) is designed to restrict access to the sensor data only to users who are in possession of both a smart card and the corresponding password. While a significant number of SUA-WSN schemes have been suggested in recent years, their intended security properties lack formal definitions and proofs in a widely-accepted model. One consequence is that SUA-WSN schemes insecure against various attacks have proliferated. In this paper, we devise a security model for the analysis of SUA-WSN schemes by extending the widely-accepted model of Bellare, Pointcheval and Rogaway (2000). Our model provides formal definitions of authenticated key exchange and user anonymity while capturing side-channel attacks, as well as other common attacks. We also propose a new SUA-WSN scheme based on elliptic curve cryptography (ECC), and prove its security properties in our extended model. To the best of our knowledge, our proposed scheme is the first SUA-WSN scheme that provably achieves both authenticated key exchange and user anonymity. Our scheme is also computationally competitive with other ECC-based (non-provably secure) schemes.

Introduction

As various sensors emerge and the related technologies advance, there has been a dramatic increase in the interest in wireless sensor networks (WSNs). Today, billions of physical, chemical and biological sensors are being deployed into various types of WSNs for numerous applications, including military surveillance, wildlife monitoring, vehicular tracking and healthcare diagnostics [1]. A major benefit of WSN systems is that they provide unprecedented abilities to explore and understand large-scale, real-world data and phenomena at a fine-grained level of temporal and spatial resolution. However, providing an application service in a WSN environment introduces significant security challenges to be addressed among the involved parties: users, sensors and gateways. One important challenge is to achieve authenticated key exchange between users and sensors (via the assistance of a gateway), thereby preventing illegal access to the sensor data and their transmissions. Authenticated key exchange in WSNs is more challenging to achieve than in traditional networks due to the sensor network characteristics, such as resource constraints, unreliable communication channel and unattended operation. Another important challenge is to provide user anonymity, which makes authenticated key exchange even harder. As privacy concern increases, user anonymity has become a major security property in WSN applications, as well as in many other applications, like mobile roaming services, anonymous web browsing, location-based services and e-voting. User authentication schemes for WSNs are designed to address these security challenges [2,3], and are a subject of active research in network security and cryptography.

Generally speaking, the design of cryptographic schemes (including user authentication schemes for WSNs) is error-prone, and their security analysis is time-consuming. The difficulty of getting a high level of assurance in the security of cryptographic schemes is well illustrated with examples of flaws discovered in many such schemes years after they were published; see, e.g., [4-6]. The many flaws identified in published schemes over the decades have promoted formal security analyses, which are broadly classified into two approaches [7,8]: the computer security approach and the computational complexity approach. The computer security approach places its emphasis on automated machine specification and analysis mostly in the Dolev–Yao adversarial model [9], where the underlying cryptographic primitives are often used in a black-box manner ignoring some of cryptographic details. The main problem with this automated approach is intractability and undecidability, as the adversary may exhibit a large set of possible behaviors, which leads to a state explosion. Cryptographic schemes proven secure in such a fashion could possibly be flawed, yielding a false positive result. In contrast, the computational complexity approach places its emphasis on deriving a polynomial-time reduction from the problem of breaking the scheme into another problem believed to be hard. A complete computational proof under a well-established cryptographic assumption provides a strong assurance that the security properties of the scheme are satisfied. Accordingly, it has been standard practice for the designers of cryptographic schemes to provide a proven reduction for the security of their schemes in a widely-accepted model [10,11]. Although these human-generated mathematical proofs are usually lengthy and complicated, they are certainly an invaluable tool for getting secure cryptographic schemes.

In 2009, Das [12] proposed a smart-card-based user authentication scheme for wireless sensor networks; throughout the paper, we call such a scheme a SUA-WSN scheme. Since then, the design of SUA-WSN schemes has received significant attention from researchers due to their potential to be widely deployed, and a number of solutions offering various levels of efficiency and security have been subsequently proposed [2,3,13-27]. Early schemes only aimed to achieve mutual authentication [13-15], while later schemes attempted to provide additional security properties, such as authenticated key exchange [2,3,16-27] and user anonymity [2,3,20,22-24,26]. Some schemes [16,21,27] employ elliptic curve cryptography to provide perfect forward secrecy, while others [2,3,12-14,17-20,22-26] only use symmetric cryptography and hash functions to focus on improving the efficiency.

One important security requirement for SUA-WSN schemes is to ensure that only a user who is in possession of both a smart card and the corresponding password can pass the authentication check of the gateway and gain access to the sensor network and data. A SUA-WSN scheme that meets this requirement is said to achieve two-factor security. To properly capture the notion of two-factor security, the adversary against SUA-WSN schemes is assumed to be able to either extract the sensitive information in the smart card of a user possibly via a side-channel attack [28,29] or learn the password of the user through shoulder-surfing or by exploiting a malicious card reader, but not both. Clearly, there is no means to prevent the adversary from impersonating a user if both the password of the user and the information in the smart card are disclosed.

Despite the research efforts over the recent years, it remains a significant challenge to design a robust SUA-WSN scheme that carries a formal proof of security in a widely-accepted model. As summarized in Table 1, most of the published schemes either provide no formal analysis of security [3,12-14,16,20-22,24-26] or fail to achieve important security properties, such as mutual authentication, session-key security, user anonymity, two-factor security and resistance against various attacks [3,13-16,19,21-27,30,31]. Some schemes [2,17-19,23,27] have been proven secure using a computer security approach, which, as mentioned above, suffers from intractability and undecidability and could possibly give a false positive result. To the best of our knowledge, Chen and Shih's scheme [15] is the only SUA-WSN scheme that was proven secure using a computational complexity approach. However, Chen and Shih's scheme does not provide key exchange functionality, but only focuses on mutual authentication (and thus, inherently, cannot carry a proof of authenticated key exchange). Moreover, the security model used for this scheme captures neither the user anonymity property nor the notion of two-factor security.

Table 1.

A summary of security results for existing SUA-WSN (smart-card-based user authentication scheme for wireless sensor networks) schemes.

Scheme	Security Justification	Major Weaknesses
Das [12]	Heuristic arguments	No key-exchange functionality
He et al. (2010) [13]	Heuristic arguments	No key-exchange functionality
Khan and Alghathbar [14]	Heuristic arguments	No key-exchange functionality
Chen and Shih [15]	Computational complexity approach (only for entity authentication)	No key-exchange functionality
Yeh et al. [16]	Heuristic arguments	Failures of mutual authentication and forward secrecy [30]
Kumar et al. (2011) [2]	Computer security approach	Vulnerability to a node capture attack [24]
Kumar et al. (2012) [17]	Computer security approach	Failures of authenticated key exchange, user anonymity and two-factor security [3,23]
Yoo et al. [18]	Computer security approach	Vulnerability to a man-in-the-middle attack [22]
Vaidya et al. [19]	Computer security approach	Failure of user authentication [25]
Xue et al. [20]	Heuristic arguments	Vulnerability to a privileged insider attack [26]
Shi and Gong [21]	Heuristic arguments	Failures of authenticated key exchange and two-factor security [27]
Kumar et al. (2013) [22]	Heuristic arguments
He et al. (2013) [23]	Computer security approach
Chi et al. [24]	Heuristic arguments
Kim et al. [25]	Heuristic arguments
Khan and Kumari [3]	Heuristic arguments
Jiang et al. [26]	Heuristic arguments
Choi et al. [27]	Computer security approach	No provision of user anonymity

The contributions of this paper are two-fold:

We present a security model for the analysis of sua-wsn schemes. Our security model is derived by extending the widely-accepted model of Bellare, Pointcheval and Rogaway [10] to incorporate into it the user anonymity property and the notion of two-factor security. Notice that the original Bellare–Pointcheval–Rogaway (BPR) model for authenticated key exchange (AKE) already captures insider attacks, offline dictionary attacks and other common attacks. We refer readers to [32] to understand how a key exchange scheme that is vulnerable to an offline dictionary attack can be rendered insecure in the BPR model. Our extension of the BPR model provides two security definitions, one for the AKE security and one for the user anonymity property, and both definitions capture the notion of two-factor security. Security properties like authentication, session-key security, perfect forward secrecy, known-key security and resistance against insider attacks and offline dictionary attacks are implied by the AKE security.

We propose the first SUA-WSN scheme whose AKE security, as well as user anonymity are formally proven in a widely-accepted model. Our scheme employs elliptic curve cryptography (ECC) to provide perfect forward secrecy, but differs from other ECC-based schemes [16,21,27] in that it provides user anonymity. We prove the security properties of our scheme in the random oracle model under the elliptic curve computational Diffie–Hellman (ECCDH) assumption. We also show that our provably-secure scheme is computationally competitive compared with other ECC-based (non-provably secure) schemes.

Table 2 shows the basic notation that is used consistently throughout this paper.

Table 2.

Basic notation.

Symbol	Description
UR	User
SR	Sensor
GW	Gateway
IDUR,IDSR,IDGW	Identities of UR, SR and GW
pwUR	Password of U
sk	Session key
	Probabilistic polynomial-time adversary
L(·),H(·),F(·)	Cryptographic hash functions
Enck(·)/Deck(·)	Symmetric encryption/decryption under key k
MAC	Message authentication code
Mack(·)/Verk(·)	MAC generation/verification under key k
⊕	Bitwise exclusive-or (XOR) operation
‖	String concatenation operation
{0,1}n	Bit strings of length n

The remainder of this paper is structured as follows. Section 2 describes our extended security model for the analysis of SUA-WSN schemes. Section 3 presents the proposed SUA-WSN scheme along with cryptographic primitives on which the security of the scheme relies and then compares our scheme with other ECC-based schemes, both in terms of efficiency and security. Section 4 provides proofs of the user anonymity property and the AKE security for our scheme. Section 5 concludes the paper, summarizing our result and presenting some interesting future work.

Our Extended Security Model for SUA-WSN Schemes

In this section, we present a security model extended from the BPR model [10] to capture the security properties of SUA-WSN schemes.

Participants and long-lived keys. Let GW be the gateway and ℛ and ℛ be the sets of all sensors and users, respectively, registered with GW. Let ɛ = {GW} ∪ ℛ ∪ ℛ . We identify each entity E ∈ ɛ by a string, and interchangeably use E and ID to refer to this identifier string. To properly capture the user anonymity property, we assume that: (1) each user UR ∈ ℛ has its pseudo identity PID (as well as its true identity ID); and (2) the adversary is given only PID, but not ID. A user UR may run multiple sessions of the authentication and key exchange protocol of the scheme (hereafter simply called the protocol), either serially or concurrently, to anonymously establish a session key with a sensor SR ∈ ℛ via the assistance of the gateway GW. Therefore, at any given time, there could be multiple instances of the entities UR, SR and GW. We use to denote instance i of entity E ∈ E. Instances of UR and SR are said to accept when they compute a session key in an execution of the protocol. We denote the session key of by . Before the protocol is ever executed,

GW generates its master secret(s), issues a smart card to each UR ∈ ℛ and establishes a shared key with each SR ∈ ℛ ; and

each UR ∈ ℛ chooses its private password pw from the set of all possible passwords.

Partnering. Informally, we say that two instances are partners (or partnered) if they participate together in a protocol session and establish a shared key. Formally, the partner relationship between instances is defined in terms of the notion of the session identifier. A session identifier (sid) is literally an identifier of a protocol session and is typically defined as a function of the messages exchanged in the session. Let denote the sid of instance . We say that two instances, and , are partners if: (1) both instances have accepted; and (2) .

Adversary capabilities. The adversary is a probabilistic polynomial-time (ppt) machine, which has full control of all communications between entities. More specifically, the PPT adversary is able to: (1) eavesdrop, modify, intercept, delay and delete the protocol messages; (2) ask entities to open up access to session keys and long-term keys; and (3) extract the sensitive information on the smart cards of users. These capabilities of are modeled using a pre-defined set of oracles to which is allowed to ask queries. We assume that, when making oracle queries directed at (instances of) UR, the adversary uses the pseudo identity PI D, since it does not know the true identity ID. The oracle queries are described as follows:

Execute ( , , ): This query models passive eavesdropping on the protocol messages. It prompts a protocol execution among the instances , and and returns the transcript of the protocol execution to .

, m): This query sends a message m to an instance , modeling active attacks against the protocol. Upon receiving m, the instance proceeds according to the protocol specification. Any message generated by is output and given to . A query of the form Send( , start) prompts to initiate a protocol session.

Reveal( ): This query captures known key attacks. Upon receiving this query, the instance returns its session key back to (if it has accepted).

CorruptLL(E): This query returns the long-lived secret(s) of entity E, capturing the notion of forward secrecy, as well as resistance to unknown key share attacks and insider attacks.

CorruptSC(UR): This query captures side-channel attacks (i.e., the notion of two-factor security) and returns the information stored in the smart card of UR.

TestAKE( ): This query is used for defining the indistinguishability-based security of session keys. The output of the query depends on a random bit b chosen by the oracle; in response to the query, either the real session key if b = 1 or a random key drawn from the session-key space if b = 0 is returned to .

TestID(UR): This query is used for determining whether the protocol provides user anonymity or not. Depending on a random bit b chosen by the oracle, is given either the identity actually used for UR in the protocol sessions (when b = 1) or a random identity drawn from the identity space (when b = 0).

SR and GW are said to be corrupted when they are asked a CorruptLL query, while UR is considered as corrupted if it has been asked both CorruptLL and CorruptSC queries.

Authenticated key exchange (AKE). We define the AKE security of the authentication and key exchange protocol P by using the notion of freshness of instances. Informally, a fresh instance refers to an instance whose session key should be kept indistinguishable from a random key to the adversary , and an unfresh instance refers to an instance that holds a session key that can be distinguishable from a random key by trivial means. A formal definition of freshness follows:

Definition 1 (Freshness). An instance is fresh unless one of the following occurs:

queries Reveal( ) or Reveal( ), where , is the partner of ;

queries CorruptLL(SR) or CorruptLL(GW) before accepts.

queries both CorruptLL(UR) and CorruptSC(UR), for some UR ∈ ℛ , before accepts.

The AKE security of the protocol P is defined in the context of the following two-phase experiment: Experiment ExpAKE0:

Phase 1. freely asks any oracle queries, except that:

is not allowed to ask queries of the TestID oracle.

is not allowed to ask the TestAKE( ) query if the instance is not fresh.

is not allowed to ask the Reveal( ) query if it has already asked a TestAKE query of or its partner instance.

Phase 2. When Phase 1 is over, outputs a bit b′ as a guess of the random bit b selected by the TestAKE oracle. succeeds if b = b′.

Let SuccAKE0 be the event that succeeds in the experiment ExpAKE0. Let denote the advantage of in breaking the AKE security of protocol P and be defined as · Pr,[SuccAKE0] − 1.

Definition 2 (AKE security). The authentication and key exchange protocol P is AKE-secure if is negligible for any PPT adversary .

User anonymity. The AKE security does not imply user anonymity. In other words, an authentication and key exchange protocol that does not provide user anonymity may still be rendered AKE secure.

Hence, a new, separate definition is necessary to capture the user anonymity property. Our definition of user anonymity is based on the notion of cleanness.

Definition 3 (Cleanness). A user U R ∈ ℛ is clean unless one of the following occurs:

queries CorruptLL(GW).

queries both CorruptLL(UR) and CorruptSC(UR).

Note that this definition of cleanness does not impose any restriction on asking a CorruptLL query to SR. This reflects our objective to achieve user anonymity even against the sensor SR.

Now, consider the following experiment to formalize the user anonymity property:

Experiment ExpID0:

A freely asks any oracle queries, except that:

is not allowed to ask queries of the TestAKE oracle.

is not allowed to ask the TestID(UR) query if the user UR is not clean.

is not allowed to ask CorruptLL and CorruptSC queries against GW and UR if it has already asked the TestID(UR) query.

When Phase 1 is over, outputs a bit b′ as a guess on the random bit b selected by the TestID oracle. succeeds if b = b′.

Let SuccID0 be the event that A succeeds in the experiment ExpID0. Then, we define the advantage of in attacking the user anonymity of protocol P as .

Definition 4 (User anonymity). The authentication and key exchange protocol P provides user anonymity if is negligible for any PPT adversary .

The Proposed SUA-WSN Scheme

This section presents our ECC-based user authentication scheme for wireless sensor networks. Our scheme consists of three phases: the registration phase, the authentication, the key exchange phase and the password update phase. We begin by describing the cryptographic primitives on which the security of our scheme relies.

Preliminaries

Elliptic curve computational Diffie-Hellman (ECCDH) problem. Let be an elliptic curve group of prime order q. Typically, will be a subgroup of the group of points on an elliptic curve over a finite field. Let P be a generator of . Informally stated, the ECCDH problem for is to compute xyP ∈ when given two elements xP, yP ∈ 2, where x and y are chosen at random from . We say that the ECCDH assumption holds in if it is computationally intractable to solve the ECCDH problem for . More formally, we define the advantage of an algorithm in solving the ECCDH problem for as . We say that the ECCDH assumption holds in if is negligible for all PPT algorithms . We use to denote the maximum value of over all algorithms running in time at most t.

Symmetric encryption schemes. A symmetric encryption scheme Γ algorithms (Enc, Dec) where: (1) the encryption algorithm Enc takes as input an ℓ-bit key k and a plain text message m and outputs a ciphertext c; and (2) the decryption algorithm Dec takes as input a key k and a ciphertext c and outputs a message m. We require that Dec(Enc(m)) = m holds for all k ∈ {0,1}ℓ and all m ∈ , where is the plain text space. For an eavesdropping adversary against Γ and for an integer n ≥ 1 and a random bit b ∈R {0,1}, consider the following indistinguishability experiment:

Let be the advantage of an eavesdropper in violating the indistinguishability of Γ, and let it be defined as:

We say that Γ is secure if is negligible in ℓ for any PPT adversary . We define as , where the maximum is over all PPT adversaries running in time at most t.

Message authentication codes. A message authentication code (MAC) scheme Δ is a pair of efficient algorithms (Mac, Ver) where: (1) the MAC generation algorithm Mac takes as input an ℓ-bit key k and a message m and outputs a MAC δ and (2) the MAC verification algorithm Ver takes as input a key k, a message m and a MAC δ and outputs one if δ is valid for m under k or outputs zero if δ is invalid. Let be the advantage of an adversary in violating the strong existential unforgeability of Δ under an adaptive chosen message attack. More precisely, is the probability that an adversary , who mounts an adaptive chosen message attack against Δ with oracle access to Mac(·) and Ver(·), outputs a message/MAC pair (m,δ), such that: (1) Verk(m, δ) = 1; and (2) δ was not previously output by the oracle Mack as a MAC on the message m. We say that the MAC scheme Δ is secure if is negligible for every PPT adversary . Let denote the maximum value of over all adversaries running in time at most t.

Cryptographic hash functions. Our scheme uses three cryptographic hash functions L : {0,1}* → {0,1}ℓ, H : {0,1}* → {0,1} and F : {0,1}* → {0,1}, where ℓ is as defined for Δ and Γ, κis the bit-length of session keys and ε is the bit-length of SID (see Section 3.2.1 for the definition of SID). These hash functions are modeled as random oracles in our security proofs.

Description of the Scheme

The public system parameters for our scheme include:

an elliptic curve group with a generator P of prime order q,

a symmetric encryption scheme Γ = (Enc, Dec),

a MAC scheme Δ = (Mac, Ver), and

three hash functions L, H and F.

We assume that these public system parameters are fixed during an initialization phase and are known to all parties in the network. As part of the initialization, the gateway GW chooses two master keys , computes its public key X = xP and establishes a shared secret key k = L(ID‖y) with each sensor SR.

Registration Phase

A user UR registers itself with the gateway GW as follows:

UR chooses its identity I D and password pw freely and submits the identity I D to GW via a secure channel.

GW computes SID = Enc((ID‖ID) and issues UR a smart card loaded with {SID, , P, Γ, Δ, L, H, F}. (We assume that q is implicit in .)

UR replaces SID with TID = SID ⊕ F(ID‖pw).

This phase of user registration is depicted in Figure 1.

Figure 1.

User registration.

Authentication and Key Exchange Phase

UR needs to perform this phase with SR and GW whenever it wishes to gain access to the sensor network and data. The steps of the phase are depicted in Figure 2 and are described as follows:

Figure 2.

The authentication and key exchange protocol.

UR inserts its smart card into a card reader and inputs its identity ID and password pw. Given ID and pw, the smart card retrieves the current timestamp T, selects a random and computes:

After the computations, the smart card sends the message M1 = 〈ID1, A, C〉 to the sensor SR.

Upon receiving M1, SR first checks the freshness of T1. If T1 is not fresh, SR aborts the protocol. Otherwise, SR retrieves the current timestamp T2, chooses a random and computes B and δ as follows:

Then, SR sends the message M2 = 〈ID2, B, δ〉 along with M1 to GW.

After having received M1 and M2, GW verifies that: (1) T1 and T2 are fresh; and (2) Ver(ID‖T2‖B‖M1, δ) = 1. If any of the verifications fails, GW aborts the protocol. Otherwise, GW computes K = xA and k = L(T1‖A‖K), decrypts C with key k and checks if the decryption produces the same ID as contained in M2. GW aborts if the check fails. Otherwise, GW decrypts SID with key L(x) and checks if this decryption yields the same ID as produced through the decryption of C. If only the two IDs match, GW computes: and sends two messages M3 = 〈ID, 〉 and M4 = 〈ID, 〉 to SR.

When receiving M3 and M4, SR verifies that Verk(ID‖ID‖B‖A, ) = 1. If the verification fails, SR aborts the protocol. Otherwise, SR forwards the message M3 to UR and computes the shared secret K = bA and the session key sk = H(A‖B‖K).

Upon receiving M3, UR checks if Ver(ID‖ID‖A‖B, ) = 1. U R aborts the protocol if the check fails. Otherwise, U R computes K = aB and sk = H(A‖B‖K).

Since K = bA = aB = abP, UR and SR will compute the same session key sk = H(A‖B‖abP; in the presence of a passive adversary.

Password Update Phase

One of the general guidelines to get better password security is to ensure that passwords are changed at regular intervals. Our scheme allows users to update their passwords at will.

UR inserts his smart card into a card reader and enters the identity ID, the current password pw and the new password .

The smart card computes and replaces TID with .

Performance and Security Comparison

Table 3 compares our scheme with other ECC-based SUA-WSN schemes in terms of the computational requirements, the AKE security and user anonymity. For fairness of comparison, SUA-WSN schemes that use only lightweight symmetric cryptographic primitives are not considered in the table since they cannot achieve forward secrecy, but have a clear efficiency advantage over the ECC-based schemes.

Table 3.

A comparison of elliptic curve cryptography (ECC)-based SUA-WSN schemes. AKE, authenticated key exchange.

Scheme	Computation		Security
	SR	UR+SR+GW	AKE	Anonymity
Our scheme	2M +2A+1H	6M +3E +6A+6H	Proven	Proven
Choi et al. [27]	2M +5H	6M +18H	Proven using a computer security approach	No
Shi and Gong [21]	2M +4H	6M +15H	Broken [27]	No
Yeh et al. [16]	2M +1P + 2H	8M +2P +9H	Broken [30]	No

M: scalar-point multiplication; P: map-to-point operation; E: symmetric encryption/decryption; A: MAC generation/verification; H: hash function evaluation.

The scalar-point multiplication and map-to-point operation are much more expensive than the other operations considered in the table, such as symmetric encryption/decryption, MAC generation/verification and hash function evaluation. The total number of modular exponentiations and map-to-point operations required in Yeh et al.'s scheme [16] is 10, while the number is reduced to six in the other schemes. Therefore, the overall performance of Yeh et al.'s scheme is not as good as those of the other schemes.

From the viewpoint of the computational burden on the sensor SR, our scheme is competitive with Choi et al.'s scheme [27] and Shi and Gong's scheme [21], since a MAC generation/verification is almost as fast as a hash function evaluation. According to Crypto++ benchmarks, HMACwith SHA-1 takes 11.9 cycles per byte, while SHA-1 takes 11.4 cycles per byte (see Table 4).

Table 4.

A result of Crypto++ benchmarks for HMAC, SHA-1 and AES.

Algorithm	HMAC (SHA-1)	SHA-1	AES/CTR	AES/CBC	AES/OFB	AES/ECB
Cycles Per Byte	11.9	11.4	12.6	16.0	16.9	16.0

Another point we wish to make is that a hash function evaluation with a long input string may not be faster than a symmetric encryption with a relatively short plain text input, though the opposite is generally true for the same length of inputs. For example, the computation of the ciphertext C in our scheme is unlikely to be more expensive than the computations of the hash values β, γ and δ, which are defined in both Choi et al.'s scheme and Shi and Gong's scheme. In this sense, it is fair to say that our scheme is competitive also in terms of the overall computational cost.

As is obvious from the table, our scheme is the only one that provides user anonymity (regardless of whether it is proven or not). This explains how the other schemes could have been designed without using any form of encryption algorithm. Choi et al. [27] prove that their scheme achieves the AKE security, but only using a computer security approach. In contrast, we use a computational complexity approach in proving both the AKE security and the user anonymity property

Security Results

Let P denote the authentication and key exchange protocol of our scheme depicted in Figure 2. This section proves that the protocol P is AKE-secure and provides user anonymity (against any party other than the gateway GW); see Section 2 for the formal definitions of the AKE security and the user anonymity property

Proof of AKE Security

Theorem 1. Our authentication and key exchange protocol P is AKE-secure in the random oracle model under the ECCDH assumption in Δ.

Proof. Assume a ppt adversary against the AKE security of the protocol P. We prove the theorem by making a series of modifications to the original experiment ExpAKE0, bounding the effect of each change in the experiment on the advantage of and ending up with an experiment where has no advantage (i.e., has a success probability of 1/2). Let SuccAKE denote the event that correctly guesses the random bit b selected by the TestAKE oracle in experiment ExpAKE. Let t be the maximum time required to perform the experiment ExpAKE involving the adversary .

Experiment ExpAKE1. In this first modified experiment, the simulator answers the queries to the L oracle as follows:

For each query of L on a string m, the simulator first checks if an entry of the form (m, l) is in a list called LList, which is maintained to store input-output pairs of L. If it is, the simulator outputs l as the answer to the hash query. Otherwise, the simulator chooses a random ℓ-bit string str, answers the query with str and adds the entry (m, str) to LList.

This is the only difference between ExpAKE1 and ExpAKE0; the simulator answers all other oracle queries of as in the original experiment ExpAKE0. Then, since ExpAKE1 is perfectly indistinguishable from ExpAKE0, it follows that:

Claim 1. Pr[SuccAKE1] = Pr[SuccAKE0].

Experiment ExpAKE2. In this experiment, we modify the computations of X and A as follows:

The simulator chooses two random elements Y,Y′ ∈ and sets X = Y′.

For every fresh instance, the simulator chooses a random and sets A = rY. For other instances, the simulator computes A as in experiment ExpAKE1.

Due to the modification, the simulator does not know the master secret x. The simulator aborts the experiment if makes the CorruptLL(GW) query However, in this case, cannot gain any advantage, as no instance is considered fresh. In this experiment, the simulator simply sets each k to a random ℓ-bit string, since it does not know the ephemeral secret a and, thus, cannot compute the secret K. This means that the success probability of may be different between ExpAKE1 and ExpAKE2 if it asks an L(T1‖A‖K) query However, this difference is bounded by Claim 2.

Claim 2. , where q.

Proof. We prove the claim via a reduction from the ECCDH problem, which is believed to be hard, to the problem of distinguishing two experiments ExpAKE1 and ExpAKE2. Assume that the success probability of is non-negligibly different between ExpAKE1 and ExpAKE2. Then, we construct an algorithm ECCDH that solves the ECCDH problem in with a non-negligible advantage. The objective of ECCDH is to compute and output the value W = uvP ∈ when given an ECCDH-problem instance (U = uP, V = vP) ∈ . ECCDH runs as a subroutine while simulating all of the oracles on its own.

ECCDH handles all of the oracle queries of as specified in experiment ExpAKE2, but using U and V in place of X and Y. When outputs its guess b′, ECCDH chooses an entry of the form (T1‖A‖ K, l) at random from LList and terminates outputting K/r. >From the simulation, it is not hard to see that ECCDH outputs the desired result W = uvP with probability at least 1/ if makes a L(T1‖A‖ K) query for some fresh user instance. This completes Claim 2.

Before proceeding further, we define the event Forge as follows:

Forge: The event that the adversary asks a Send query of the form for uncorrupted E and E′, such that msg contains a MAC forgery.

Experiment ExpAKE3. This experiment is different from ExpAKE2 in that it is aborted and the adversary does not succeed if the event Forge occurs. Then, we have:

Claim 3. , where qsend is the number of queries made for the oracle Send.

Proof. Assume that the event Forge occurs with a non-negligible probability. Then, we construct an algorithm forge who generates, with a non-negligible probability, a forgery against the MAC scheme Δ. The algorithm forge is given access to the Mack(·) and Verk(·) oracles. The objective of forge is to produce a message/MAC pair (m, δ), such that: (1) Ver(m, δ) = 1; and (2) δ has not been output by the oracle Mac(·) on input m.

Let n be the total number of MAC keys used in the sessions initiated via a Send query. Clearly, n ≤ qsend. forge begins by selecting a random i ∈ {1,…, n}. Let k denote the i – th key among all of the n MAC keys and Sendi be any Send query that is expected to be answered and/or verified using k. forge runs as a subroutine and answers the oracle queries of as in experiment ExpAKE2, except that: it answers all Sendi queries by accessing its Mac(·) and Ver(·) oracles. As a result, the i — th MAC key k is not used during the simulation. If Forge occurs against an instance who holds k, forge halts and outputs the message/MAC pair generated by as its forgery. Otherwise, forge terminates with a failure indication.

If the guess i is correct, then the simulation is perfect and forge achieves its goal. Namely, . Since nk ≤ qsend, we get . Since forge runs in time at most t3, it follows, by definition, that . This completes the proof of Claim 3.

Experiment ExpAKE4. We next modify the way of answering queries of the H oracle as follows:

For each H query on a string m, the simulator first checks if an entry of the form (m, h) is in a list called HList, which is maintained to store input-output pairs of H. If it is, h is the answer to the hash query. Otherwise, the simulator chooses a random κ-bit string str, answers the query with str and adds the entry (m, str) to HList.

Other oracle queries of are handled as in experiment ExpAKE3. Since ExpAKE4 is perfectly indistinguishable from ExpAKE3, it is clear that:

Claim 4. Pr[SuccAKE4] = Pr[SuccAKE3].

Experiment ExpAKE5. We finally modify the experiment so that, for each fresh instance of SR, the computation of B is done as follows:

The simulator selects a random and computes B = r′X.

The simulator sets the session key sk to a random κ-bit string for each pair of fresh instances, as it cannot compute K. Accordingly, the success probability of may be different between ExpAKE4 and ExpAKE5 if it asks an H(A‖B‖K) query. Claim 5 below bounds the difference:

Claim 5. , where qH is the number of queries made of the H oracle.

Proof. Suppose that the difference in the advantage of between SuccAKE4 and SuccAKE5 is non-negligible. Then, from , we construct an algorithm ECCDH that solves the ECCDH problem in with a non-negligible advantage. The objective of ECCDH is to compute and output the value W = uvP ∈ when given an ECCDH-problem instance (U = uP, V = vP) ∈ .

ECCDH runs as a subroutine while answering all of the oracles queries by itself. ECCDH handles the queries of as specified in the ExpAKE5 experiment, but using U and V in place of X and Y. When terminates and outputs its guess b′, ECCDH selects an entry of the form (A‖B‖K, h) at random from HList and outputs K/rr′. If makes a H(A‖B‖K) query, ECCDH outputs the desired result W = uvP with probability at least 1/q. This completes Claim 5.

In experiment ExpAKE5, the adversary obtains no information on the random bit b selected by the TestAKE oracle, since the session keys of all fresh instances are selected uniformly at random from . Therefore, it follows that Pr, [SuccAKE5] = 1/2. This result combined with Claims 1–5 completes the proof of Theorem 1.

Proof of User Anonymity

Theorem 2. The authentication and key exchange protocol P provides user anonymity in the random oracle model under the ECCDH assumption in Γ.

Proof. Assume a PPT adversary against the user anonymity property of the protocol P. As in the proof of Theorem 1, we make a series of modifications to the original experiment ExpID0, bounding the difference in the success probability of between two consecutive experiments and then ending up with an experiment where has a success probability of 1/2 (i.e., has no advantage). We use SuccID to denote the event that A correctly guesses the random bit b selected by the TestID oracle in experiment ExpIDi. Let t be the maximum time required to perform the experiment ExpIDi involving the adversary .

Experiment ExpID1. This experiment is different from ExpID0 in that the random oracle L is simulated as follows:

For each query to L on a string m, the simulator first checks if an entry of the form (m, l) is in a list called LList, which is maintained to store input-output pairs of L. If it is, the simulator outputs l as the answer to the hash query. Otherwise, the simulator chooses a random ℓ-bit string str, answers the query with str and adds the entry (m, str) to LList.

Other oracle queries of are answered as in the original experiment ExpID0. Then, since L is a random oracle, ExpID1 is perfectly indistinguishable from ExpID0, and Claim 6 immediately follows.

Claim 6. Pr, [SuccID1] = PrP, [SuccID0].

Experiment ExpID2. Here, we modify the experiment so that A is computed as follows:

The simulator chooses a random exponent and computes Y = y P.

For each instance of users, the simulator chooses a random and sets A = rY.

As a result of the modification, each K is set to xyrP for some random . Since the view of is identical between ExpID2 and ExpID1, it follows that:

Claim 7. Pr, [SuccID2] = Pr,[SuccID1].

Experiment ExpID3. In this experiment, we modify the computations of X and A as follows:

The simulator chooses two random elements Y,Y′∈ and sets X = Y′.

For instances of every clean user, the simulator chooses a random and sets A = rY. For other instances, the simulator computes A as in experiment ExpID2.

As a result, the simulator does not know the master secret x. The simulator aborts the experiment if makes the CorruptLL(GW) query However, in this case, cannot gain any advantage, as no user is considered clean (see Definition 3). In this experiment, the simulator simply sets each k to a random ℓ-bit string, since it does not know the ephemeral secret a and, thus, cannot compute the secret K. This means that the success probability of may be different between ExpID2 and ExpID3 if it asks an L(T1‖A‖K) query However, this difference is bounded by Claim 8.

Claim 8. where q.

Proof. We prove the claim via a reduction from the ECCDH problem, which is believed to be hard, to the problem of distinguishing two experiments ExpID2 and ExpID3. Assume that the success probability of is non-negligibly different between ExpID2 and ExpID3. Then, we construct an algorithm ECCDH that solves the ECCDH problem in with a non-negligible advantage. The objective of ECCDH is to compute and output the value W = uvP ∈ when given an ECCDH-problem instance (U = uP, V = vP) ∈ AECCDH runs as a subroutine while simulating all of the oracles on its own.

ECCDH handles all of the oracle queries of as specified in experiment ExpID3, but using U and V in place of X and Y. When outputs its guess b′, ECCDH chooses an entry of the form (T1‖A‖K, l; at random from LList and terminates outputting K/r. >From the simulation, it is clear that ECCDH outputs the desired result W = uvP with a probability of at least 1/qL if A makes a L(T1‖A‖K) query for some clean UR ∈ ℛ . This completes Claim 8.

Experiment ExpID4. We finally modify the experiment so that, for each clean user UR ∈ ℛ , a random identity ID′ drawn from the identity space is used in place of the true identity ID in generating C.

Claim 9. .

Proof. We prove the claim by constructing an eavesdropper eav who attacks the indistinguishability of Γ with advantage equal to |Pr[SuccID4] − PrP, [SuccID3]|.

eav begins by choosing a random bit b ∈ {0,1}. Then, eav invokes the adversary and answers all of the oracle queries of as in experiment ExpID3, except that, for each clean user UR ∈ ℛ , it generates C by accessing its own encryption oracle as follows:

eav outputs (SID‖ID‖ID‖ID′UR‖ID) as its plain text pair in the indistinguishability experiment . Let c be the ciphertext received in return for the plain text pair. eav sets Cur equal to the ciphertext c.

That is, eav sets C to the encryption of either SID‖ID‖ID or SID‖ID‖ID. Now, when terminates and outputs its guess b′, eav outputs one if b = b′, and zero otherwise. Then, it is clear that:

The probability that eav outputs one when the first plain texts are encrypted in the experiment is equal to the probability that succeeds in the experiment ExpID3.

The probability that eav outputs one when the second plain texts are encrypted in the experiment is equal to the probability that succeeds in the experiment ExpID4.

That is, . Note that in the simulation, eav eavesdrops at most qsend encryptions, which is polynomial in the security parameter ℓ. This completes the proof of Claim 9.

In the experiment ExpID4, the adversary cannot gain any information on the random bit b selected by the TestID oracle, because the identities of all clean users are chosen uniformly at random from the identity space. It, therefore, follows that PrP, [SuccID4] = 1/2. This result combined with Claims 6–9 yields the statement of Theorem 2.

Concluding Remarks

We have extended the widely-accepted security model of Bellare, Pointcheval and Rogaway [10] to formally capture the security requirements for SUA-WSN schemes—smart-card-based user authentication schemes for wireless sensor networks. Our extended model provides formal definitions of the AKE security and the user anonymity property, while capturing the notion of two-factor security. We have also proposed a new SUA-WSN scheme and proved that it achieves user anonymity, as well as the AKE security in the extended model. To the best of our knowledge, our scheme is the first SUA-WSN scheme that is proven secure in a widely-accepted model.

We believe that our result lays a solid foundation for designing provably-secure two-factor authentication schemes for mobile roaming services, where user anonymity, as well as authenticated key exchange are also of critical security importance; see, e.g., the recent work of He et al. [33,34]. A concrete design of such a provably-secure roaming authentication scheme would be interesting future work. We also leave it as future work to present a formal treatment of security properties for three-factor authentication schemes [35].