c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3

ava i lab le a t www.sc iencedi rec t .com

journa l homepage : www.e lsev ier . com/ loca te /cose

An ID-based remote mutual authentication with keyagreement scheme for mobile devices on ellipticcurve cryptosystem

Jen-Ho Yanga, Chin-Chen Changa,b,*aDepartment of Computer Science and Information Engineering, National Chung Cheng University, 160 San-Hsing, Ming-Hsiung,

Chiayi 621, Taiwan, ROCbDepartment of Information Engineering and Computer Science, Feng Chia University, 100 Wenhwa Rd., Seatwen, Taichung 40724,

Taiwan, ROC

a r t i c l e i n f o

Article history:

Received 21 August 2008

Accepted 26 November 2008

Keywords:

ID-based

Mutual authentication

Key agreement

Elliptic curve

Cryptosystem

* Corresponding author. Department of InfSeatwen, Taichung 40724, Taiwan, ROC. Tel

E-mail addresses: jenho@cs.ccu.edu.tw (J0167-4048/$ – see front matter ª 2008 Elsevidoi:10.1016/j.cose.2008.11.008

a b s t r a c t

Recently, remote user authentication schemes are implemented on elliptic curve crypto-

system (ECC) to reduce the computation loads for mobile devices. However, most remote

user authentication schemes on ECC are based on public-key cryptosystem, in which the

public key in the system requires the associated certificate to prove its validity. Thus, the

user needs to perform additional computations to verify the certificate in these schemes. In

addition, we find these schemes do not provide mutual authentication or a session key

agreement between the user and the remote server. Therefore, we propose an ID-based

remote mutual authentication with key agreement scheme on ECC in this paper. Based

upon the ID-based concept, the proposed scheme does not require public keys for users

such that the additional computations for certificates can be reduced. Moreover, the

proposed scheme not only provides mutual authentication but also supports a session key

agreement between the user and the server. Compared with the related works, the

proposed scheme is more efficient and practical for mobile devices.

ª 2008 Elsevier Ltd. All rights reserved.

1. Introduction In electronic transactions, remote user authentication in

With the rapidity of the development on electronic tech-

nology, various mobile devices (e.g., cell phone, PDA, and

notebook PC) are produced to make human life more conve-

nient. It also changes some traditional transactions into

electronic transactions. Due to the mobile devices are

portable, people can accomplish the electronic transactions

by mobile devices anytime and anywhere. Moreover, the

merchant can reduce the cost without maintaining a physical

store. Thus, more and more electronic transactions for mobile

devices are implemented on Internet or wireless networks.

ormation Engineering an.: þ8864 24517250x3790; f.-H. Yang), ccc@cs.ccu.eder Ltd. All rights reserved

insecure channel is an important issue. For example, when

a user wants to login a remote server and access its services,

such as on-line shopping and pay-TV, both user and server

must authenticate the identity with each other for the fair

transaction. Generally, the remote user authentication can be

implemented by the traditional public-key cryptosystems

(PKC), such as Rivest et al. (1978) and ElGamal (1985). However,

PKC needs to compute the modular exponentiation, which is

a time-consuming operation. In addition, the computation

ability and battery capacity of mobile devices are limited.

Therefore, the PKC-based remote authentication schemes are

d Computer Science, Feng Chia University, 100 Wenhwa Rd.,ax: þ886 27066495.u.tw (C.-C. Chang)..

c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3 139

not suitable for mobile devices. To solve the above problems,

various authentication schemes based on elliptic curve cryp-

tosystem (ECC) are proposed (Abichar et al., 2007; Choie et al.,

2005; Cao et al., 2008; Chen and Song, 2007; Jiang et al., 2007; Jia

et al., 2006; Liao and Wang, 2007; Tian et al., 2005; Wu et al.,

2005).

ECC was first proposed by Miller (1986) and Koblitz (1987),

and its security was based upon the difficulty of elliptic curve

discrete logarithm problem (ECDLP). Compared with PKC, ECC

offers a better performance because it can achieve the same

security with a smaller key size. For example, 160-bit ECC and

1024-bit RSA have the same security level in practice (Han-

kerson et al., 2004). Thus, ECC-based authentication schemes

are more suitable for mobile devices than PKC-based ones.

However, ECC-based authentication schemes still have some

disadvantages while they are implemented on mobile devices.

Like PKC, ECC also needs a key authentication center (KAC) to

maintain the certificates for users’ public keys. When the

number of users is increased, KAC needs a large storage space

to store users’ public keys and certificates. In addition, users

need additional computations to verify the other’s certificate

in these schemes (Abichar et al., 2007; Chen and Song, 2007;

Jiang et al., 2007; Jia et al., 2006; Liao and Wang, 2007; Tian

et al., 2005). This causes the computation loads and the energy

costs of mobile devices very high.

To solve the above problems, several ID-based authenti-

cation schemes on ECC are proposed (Choie et al., 2005; Cao

et al., 2008; Wu et al., 2005). The ID-based concept was first

introduced by Shamir (1984). In an ID-based scheme, the user

utilizes his unique identity (e.g., name, address, or email

address) as his public key. Thus, the user cannot claim that

the authentication information containing his identity does

not belong to him. Without public keys, the users do not need

to perform additional computations to verify the corre-

sponding certificates. Moreover, KAC does not need to main-

tain a large public-key table because there is no public key in

the ID-based schemes. However, the previous ID-based

authentication schemes on ECC (Choie et al., 2005; Wu et al.,

2005) are constructed by using bilinear pairings, which is an

expensive operation (Cao et al., 2008). For mobile devices, the

computation and energy costs of the pairing-based schemes

are higher than those of ECDLP-based schemes.

On the other hand, we also find some disadvantages in the

previous user authentication schemes on ECC. That is, some of

these schemes do not provide the mutual authentication

(Chen and Song, 2007; Jiang et al., 2007; Jia et al., 2006; Wu et al.,

2005) or the session key agreement (Cao et al., 2008; Chen and

Song, 2007; Jia et al., 2006; Wu et al., 2005) between the user and

the server. For some applications, the user and the server need

a session key to encrypt the secret information for the

subsequent communications after they authenticate with

each other. According to the above descriptions, we propose

an ID-based remote mutual authentication with key agree-

ment scheme based upon ECC in this paper. The main

contributions of the proposed scheme are shown as follows.

1. Efficiency: Compared with the pairings-based authentica-

tion schemes, the proposed scheme has less computation

loads for mobile devices because it is based upon the

computation of point multiplication on ECC. Moreover, the

proposed scheme does not need to perform additional

computations to verify the certificates because it is con-

structed by the ID-based concept. Without additional

computations for certificate, the energy costs and compu-

tation loads of mobile devices can be reduced. Therefore,

the proposed scheme provides efficiency for the users of

mobile devices.

2. Reliability: For the security considerations, both the user

and the server need to check the other party’s validity in

electronic transactions. However, some of the previous

authentication schemes on ECC only allow the server to

authenticate the user’s identity. This causes that an

attacker can easily impersonate the server to steal the

user’s secret information. To solve this problem, the

proposed scheme provides the mutual authentication

between the user and the server. Therefore, the mutual

authentication in the proposed scheme provides the reli-

ability between user and the server.

3. Flexibility: Some of the previous authentication schemes on

ECC only provide the user authentication without a session

key agreement for users and a remote server. Thus, these

schemes can be only implemented to the remote login

system. For some applications, such as on-line shopping

and pay-TV, it is necessary to share a session key between

the user and the server for the subsequent transactions

after they mutually authenticate with each other. However,

the proposed scheme not only accomplishes the mutual

authentication but also provides a session key agreement

between a user and the remote server. Thus, the proposed

scheme is flexible for many applications.

4. Scalability: Based upon the ID-based concept, the proposed

scheme utilizes each user’s unique identity to accomplish

the user authentication. Thus, the server does not need to

maintain a large public-key table while the number of users

becomes very large. Because the user authentication just

involves user’s identity, the server can easily confirm that

a user is valid according to his identity. That is, the server

can offer its services to a large number of users such that it

can make more profits in electronic transactions. There-

fore, the proposed scheme provides high scalability for the

user addition in electronic transactions.

The rest of our paper is organized as follows. First, the basic

concept of ECC and Tian et al.’s authentication scheme on ECC

(Tian et al., 2005) are presented in Section 2. Then, the

proposed scheme is shown in Section 3. The security and

performance analyses are discussed in Section 4. Finally, the

conclusions are given in Section 5.

2. Preliminaries

In this section, we first introduce the basic concepts of ECC.

Then, we review Tian et al.’s remote user authentication

scheme on ECC (Tian et al., 2005).

2.1. Elliptic curve cryptosystem (ECC)

An elliptic curve is a cubic equation of the form

y2þ axyþ by¼ x3þ cx2þ dxþ e, where a, b, c, d, and e are real

c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3140

numbers. In an elliptic curve cryptosystem (ECC), the elliptic

curve equation is defined as the form of Ep(a, b):

y2¼ x3þ axþ b(mod p) over a prime finite field Fp, where a,

b˛Fp, p> 3, and 4a3þ 27b2 s 0(mod p) (Hankerson et al.,

2004). Given an integer s˛F�p and a point P˛Ep(a, b), the point-

multiplication s$P over Ep(a, b) can be defined as

s$P ¼ PþPþ/þP|fflfflfflfflffl{zfflfflfflfflffl}

s times

. More details of ECC definitions can be found in

Hankerson et al. (2004). Generally, the security of ECC relies on

the difficulties of the following problems (Li et al., 2008).

Definition 1. Given two points P and Q over Ep(a, b), the elliptic

curve discrete logarithm problem (ECDLP) is to find an integer

s˛F�p such that Q¼ s$P.

Definition 2. Given three points P, s$P, and t$P over Ep(a, b) for

s; t˛F�p, the computational Diffie–Hellman problem (CDLP) is to

find the point (s$t)$P over Ep(a, b).

Definition 3. Given two points P and Q¼s$Pþ t$P over Ep(a, b)

for s; t˛F�p, the elliptic curve factorization problem (ECFP) is to

find two points s$P and t$P over Ep(a, b).

Up to now, there is no algorithm to be able to solve any of

the above problems (Li et al., 2008).

2.2. Tian et al.’s authentication with key agreementscheme on ECC

In this subsection, we introduce Tian et al.’s authentication

with key agreement scheme on ECC (Tian et al., 2005). There

are three participants in Tian et al.’s scheme: user A, user B,

and the certificate authority (CA). In their scheme, A and B

want to authenticate with each other and share a session key.

Moreover, CA is responsible for initializing the system

parameters and generating the certificates of A and B. First, CA

chooses an elliptic curve equation Ep(a, b) that is defined in

Subsection 2.1. Note that the order of Ep(a, b) is n. Then, CA

selects a public point P with the order n over Ep(a, b) and

computes its private/public key pair (qCA, QCA) by QCA¼ qCA$P.

Here, we define some parameters used in Tian et al.’s scheme

as follows: H($) is a public one-way hash function with 160-bit

input size, and ‘‘jj’’ is a binary string concatenation operation.

In addition, KDF($) and MAC($) are denoted as a secure key

derivation function and message authentication code func-

tion (Tian et al., 2005), respectively. Now, we introduce Tian

et al.’s scheme as follows.

2.2.1. Certificate generation phase

Step 1. User A chooses an integer gA˛Z�p to compute GA¼ gA$P.

Then, A sends his identity IDA and GA to CA.

Step 2. CA chooses a random integer gCA˛Z�p to compute

GCA¼ gCA$P and GA ¼ GA þ GCA. Then, CA computes

cerA ¼ ðQCA; IDA;GA;TAÞ as A’s certificate, where TA is

the expiration time of cerA. Finally, CA computes

cer0A ¼ HðcerAÞ and sA ¼ gCA$cer0A þ qCAmod n. Then,

CA publishes cerA and sends sA to user A.

Step 3. User A computes cer0A ¼ HðcerAÞ and qA ¼ sAþgA$cer0A mod n, where qA is his private key. Then,

A computes his public key by QA¼ qA$P. Finally, A

checks if QA ¼ cer0A$GA þ QCA holds. If the equation

holds, A accepts this certificate. Otherwise, he

rejects it.

Similarly, user B can obtain its private/public key pair (qB,

QB) and the corresponding certificate cerB ¼ ðQCA; IDB;GB;TBÞaccording to the above steps.

2.2.2. Authentication with key agreement phase

Step 1. User A confirms the validity of B’s public key by

checking if the equation QB ¼ cer0B$GB þ QCA holds.

Similarly, B confirms the validity of A’s public key by

checking if QA ¼ cer0A$GA þ QCA holds.

Step 2. User A randomly chooses a k-bit integer rA and

a redundant string l to compute m ¼ ðrAjjlÞ, where k is

a system-wide security parameter. Then, A selects an

integer dA˛Z�p to compute DA¼ dA$P and DB¼ dA$QB.

Finally, A computes m0 ¼m 4 DB$x and sends (DA, m0)

to B, where DB$x is the x coordinate of point DB over

Ep(a, b).

Step 3. User B computes DB¼ qB$DA and m¼m0 4 DB$x. Then, B

can obtain rA from the most significant k bits of m.

And, B randomly chooses a k-bit integer rB to compute

y ¼ ErA ðIDBjjrBÞ, where ErA ð$Þ is a secure symmetric

encryption cryptosystem by using symmetric key rA.

To obtain the session key K, A also computes

MacKjjK¼KDF(rAjjrBjjIDAjjIDB), where MacK is the

message authentication code of K. Note that the

lengths of MacK and K are pre-defined. Finally, user B

sends y to user A.

Step 4. User A decrypts y ¼ ErA ðIDBjjrBÞ by using rA to obtain rB.

Thus, A can compute MacKjjK¼KDF(rAjjrBjjIDAjjIDB) to

obtain the session key K. Then, A computes

z¼ qAH(MacK )$QAþ dA mod n and sends z to B.

Step 5. User B checks if z$P¼H(MacK )þDA holds. If the

equation holds, B computes z0 ¼MACMacK(IDBjjIDA)

and sends it to A. Otherwise, the protocol is

terminated.

Step 6. User A checks if z0 is valid. If z0 is valid, A accepts the

session key K. Otherwise, the protocol is terminated.

According to Tian et al.’s scheme, we find that the user

authentication scheme on ECC using the public key has the

following disadvantages. First, CA needs a large storage space

to keep all users’ public keys and certificates if the number of

users becomes large. Second, the users need additional

computations to verify the others’ certificates. These disad-

vantages make their authentication schemes on ECC unsuit-

able for mobile devices. To overcome these disadvantages, we

propose an ID-based remote mutual authentication with key

agreement scheme for mobile devices on ECC in the next

section.

3. The proposed scheme

The proposed scheme provides the mutual authentication

and a session key agreement between a user U and a remote

c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3 141

server S. Note that the server is responsible for initializing the

system parameters and distributing a secret key to each user.

The proposed scheme is divided into three phases: system

initialization phase, user registration phase, and mutual

authentication with key agreement phase. Now, we present

our scheme as follows.

3.1. System initializing phase

Step 1. The server chooses an elliptic curve equation Ep(a, b)

with order n, which is defined in Subsection 2.1.

Step 2. The server S selects a base point P with the order n over

Ep(a, b), where n is a large number for the security

considerations. Then, S derives its private/public key

pair (qS, QS) by computing QS¼ qS$P.

Step 3. The server chooses three secure one-way hash

functions H1($):{0, 1} / GP, H2ð$Þ : f0;1g/Z�p, and

H3ð$Þ : f0;1g�/Z�p, where GP is a cyclic addition group

that is generated by P over Ep(a, b).

Step 4. The server keeps qS in private and publishes {Ep(a, b), P,

Qs, H1($), H2($), H3($)}.

3.2. User registration phase

Step 1. The user U sends his identity IDU to the server.

Step 2. The server S computes AIDU ¼ qS$H1ðIDUÞ˛GP, where

AIDU is the authentication key for the user U. Then, S

sends AIDU to U in a secure channel.

Step 3. After receiving AIDU , U checks if AIDU $P ¼ QS$H1ðIDUÞholds. If the equation holds, U keeps AIDU in private.

Fig. 1 – Mutual authentication with key agreement phase.

3.3. Mutual authentication with key agreement phase

Step 1. The user U randomly chooses apoint RU¼ (xU, yU)˛Ep(a, b),

where xU and yU are x and y coordinates of point RU,

respectively. Then, U computes t1¼H2(T1), MU ¼ RUþt1$AIDU and RU ¼ xU$P, where T1 is a timestamp denotes

the current time. Finally, U sends ðIDU;MU;RU;T1Þ to the

server.

Step 2. After receiving ðIDU;MU;RU;T1Þ, the server S computes

QIDU ¼ H1ðIDUÞ, t1¼H2(T1) and R0U ¼ MU � qS$t1$QIDU to

obtain QIDU ¼ ðxQ ; yQ Þ and R0U ¼ ðx0U; y0UÞ. Then, S checks

if RU ¼ x0U$P holds. If the equation holds, the server

confirms that U is valid and x0U ¼ xU. Otherwise, the

protocol is terminated.

Step 3.The server S randomly chooses a point RS¼ (xS, yS)˛Ep(a, b), and then it computes t2¼H2(T2) and

MS ¼ RS þ t2$qs$QIDU . Then, S computes the session key

k by the equation k¼H3(xQ, xU, xS). Finally, S computes

Mk¼ (kþ xS)$P and sends (MS, Mk, T2) to U.

Step 4. After receiving (MS, Mk, T2), the user U computes

QIDU ¼ H1ðIDUÞ, t2¼H2(T2), and R0S ¼ MS � t2$AIDU to

derive QIDU ¼ ðxQ ; yQ Þ and R0U ¼ ðx0S; y0SÞ. Then, U

computes the equations k0 ¼ H3ðxQ ; xU; x0SÞ and

M0k ¼ ðk0 þ x0SÞ$P to check if M0k ¼ Mk holds. If the equa-

tion holds, U can confirm that S is valid and the session

key k0 is equal to k. Otherwise, the protocol is

terminated.

Fig. 1 shows mutual authentication with key agreement

phase of the proposed scheme.

Basically, the proposed authentication scheme is based

upon elliptic curve discrete logarithm problem (ECDLP) and

the elliptic curve factorization problem (ECFP). Thus, only

point-multiplication operations on elliptic curve are required

in the proposed scheme. Compared with the pairing-based

authentication schemes (Choie et al., 2005; Jia et al., 2006; Liao

and Wang, 2007; Wu et al., 2005), the proposed scheme is more

efficient because the bilinear-pairing operation is more

expensive than point-multiplication operation on ECC (Cao

et al., 2008). Besides, the proposed scheme is constructed by

ID-based concept and it utilizes user’s unique identity IDU to

compute AIDU for mutual authentication. Thus, the mutual

authentication between the user and the server can be

accomplished without using public keys. In addition, the users

and the server do not need to perform additional computa-

tions for verifying the other party’s certificates. Therefore, the

proposed scheme provides efficiency.

Up to now, some remote user authentication schemes on

ECC (Chen and Song, 2007; Jiang et al., 2007; Jia et al., 2006; Wu

et al., 2005) only allow the server to authenticate the users’

identities. On the contrary, the users cannot authenticate the

validity of the server. Thus, an attacker can easily imper-

sonate the server to steal the user’s secret information in

these schemes. According to the mutual authentication with

key agreement phase, only the valid user and server can solve

the other party’s random points RU and RS in the proposed

scheme. That is, both the user and the server can authenticate

the other party’s validity. Thus, our scheme supports mutual

authentication and it provides the reliability for the user and

the server both.

According to our investigations, some authentication

schemes on ECC (Cao et al., 2008; Chen and Song, 2007; Jia

et al., 2006; Wu et al., 2005) do not provide the session key

agreement for the users and the server. Thus, theses schemes

can be only applied to remote login systems. However, our

scheme not only accomplishes the mutual authentication but

also provides a session key between the user and the server.

That is, our scheme can be applied to many applications, such

as on-line shopping and pay-TV. In these applications,

c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3142

a session key is necessary for the subsequent communica-

tions between the user and the server after they complete the

mutual authentication. Therefore, the proposed scheme

provides flexibility for many applications in electronic

transactions.

In the proposed scheme, the authentication key

AIDU ¼ qS$H1ðIDUÞ˛GP is constructed by user’s identity IDU and

the server’s secret key qS. That is, whatever the number of

users is, the server only keeps its secret key qS and uses the

user’s identity to compute AIDU for user authentication. While

a new user is added in the system, the server does not need to

keep his password or public key in the storage space. There-

fore, the proposed scheme provides high scalability for the

user addition such that it is very practical for the applications

with large number of users.

4. The discussions

In this section, we discuss the security of the proposed

scheme and the comparisons of some related schemes. Now,

we present some possible attacks to analyze the security of

the proposed scheme.

4.1. Security analyses

4.1.1. Outsider attackAssume that an attacker wants to derive the secret informa-

tion in the system, and then he eavesdrops the communica-

tions between the user and the server. Thus, the attacker can

collect ðIDU;MU;RU;T1Þ and (MS, Mk, T2). To obtain the user’s

authentication key AIDU and the server’s secret key qS, he

needs to compute AIDU and qS from MU ¼ RU þ t1$AIDU or

MS ¼ RS þ t2$qs$QIDU . However, this attack is infeasible because

he must face the difficulty of elliptic curve discrete logarithm

problem (ECDLP) and the elliptic curve factorization problem

(ECFP). According to Subsection 2.1, there is no algorithm to be

able to solve these problems. Similarly, the attacker cannot

derive the session key k from Mk¼ (kþ xS)$P because he must

face the difficulty of ECDLP.

4.1.2. Replay attackAssume that an attacker collects the information once being

transferred between the user and the server. Then, the

attacker may use the pre-collected information ðMU;RUÞ to

Table 1 – Comparisons of the related works.

Properties

Tian et al. (2005),Hankerson et al. (2004)

Wu et al.Shamir

Mutual authentication Yes No

Key agreement Yes No

Certificate computations Yes No

Pairings computations NO Yes

Computation costs 3PMþ 1PAþ 1SD 3PMþ 1PA

Communication rounds 4 2

PM: Elliptic curve point multiplication; PA: Elliptic curve point addition; S

pretend that he is the user U. Thus, the attacker sends

ðIDU;MU;RU;T01Þ to the server, where T01 denotes the current

time. However, this attack cannot work since

MU ¼ RU þ t1$AIDU is generated by the past time t1¼H2(T1)

instead of the current time t01 ¼ H2ðT01Þ. When the server uses

T0

1 to computes t01 ¼ H2ðT01Þ and R0U ¼ MU � qS$t01$QIDU , the veri-

fication equation RU ¼ x0U$P does not hold in Step 2 of the

mutual authentication with key agreement phase. This is

because MU � qS$t01$QIDU sMU � qS$t1$QIDU such that R0UsRU.

Similarly, an attacker cannot use the pre-collected informa-

tion (MS, Mk) to pretend that he is the server S because MS

contains the past timestamp T2. Therefore, the replay attack is

infeasible for the proposed scheme.

4.1.3. Impersonation attackAssume that an attacker wants to impersonate a legal user U,

and he randomly chooses R00U ¼ ðx00U; y00UÞ˛Epða;bÞ and A00IDUto

compute M00U ¼ R00U þ t1$A00IDUand R00U ¼ x00U$P. Then, the attacker

sends ðIDU;M00U;R00U;T1Þ to the server for authentication.

However, the server cannot obtain R00U ¼ ðx00U; y00UÞ from

R0U ¼ M00U � qS$t1$QIDU ¼ M00U � t1$AIDU since M00U is generated by

A00IDUinstead of AIDU . Because of R00Usx0U$P, the attacker can be

found that he is an illegal user by the server. Similarly, an

attacker cannot impersonate the valid server because he does

not know the server’s secret key qS. Therefore, it is impossible

to perform the impersonate attack on our scheme.

4.2. Comparisons

Table 1 shows the comparisons of our scheme and the

previous authentication schemes on ECC. For simplicity, the

computation costs of Table 1 do not include the certificate

computations and pairings computations. Note that if the

scheme requires certificate computations or pairings compu-

tations, its computation costs in practice are larger than those

in Table 1. According to Table 1, our scheme not only provides

mutual authentication but also supports a session key

agreement. Moreover, our scheme does not need to perform

the certificate computations and pairings computations.

Moreover, the computation costs and the number of

communication rounds of our scheme is less than those of the

other schemes as shown in Table 1. From the above descrip-

tions, we conclude that our scheme is more efficient and

practical than the related schemes for the users of mobile

devices.

Schemes

(2005),(1984)

Jia et al.(2006)

Abichar et al. (2007),Rivest et al. (1978)

Ours

No Yes Yes

No Yes Yes

Yes Yes No

Yes No No

4PMþ 1PA 2PMþ 2PAþ 1MM 3PMþ 2PA

2 3 2

D: Symmetric-key decryption; MM: Modular multiplication.

c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3 143

5. Conclusions

In this paper, we propose an ID-based remote mutual

authentication scheme on ECC. Based upon ID-based concept,

the proposed scheme does not require additional computa-

tions for certificate. In addition, the proposed scheme is not

constructed by bilinear-pairings, which is an expensive

operation on elliptic curve. According to the comparisions in

Subsection 4.2, the proposed scheme is more efficient and

practical than the related works. In the future, we will inves-

tigate a remote mutual authentication scheme on ECC in

multi-server environments such that it can be applied to more

applications in electronic transactions.

r e f e r e n c e s

Abichar PE, Mhamed A, Elhassan B. A fast and secure ellipticcurve based authenticated key agreement protocol for lowpower mobile communications. In: Proceedings of the 2007international conference on next generation mobileapplications, services and technologies; 2007. p. 235–40.

Cao X, Kou W, Dang L, Zhao B. IMBAS: identity-based multi-userbroadcast authentication in wireless sensor networks.Computer Communications 2008;31:659–67.

Chen ZG, Song XX. A distributed electronic authentication schemebased on elliptic curve. In: Proceedings of the sixth internationalon machine learning and cybernetics; 2007. p. 2179–182.

Choie YJ, Jeong E, Lee E. Efficient identity-based authenticated keyagreement protocol from pairings. Applied Mathematics andComputation 2005;162:179–88.

ElGamal T. A public key cryptosystem and a signature schemebased on discrete logarithms. IEEE Transactions onInformation 1985;IT-31:469–72.

Hankerson D, Menezes A, Vanstone S. Guide to elliptic curvecryptography. New York, USA: LNCS, Springer-Verlag; 2004.

Jia Z, Zhang Y, Shao H, Lin Y, Wang J. A remote userauthentication scheme using bilinear pairings and ECC. In:Proceedings of the sixth international conference onintelligent system design and applications; 2006. p. 1091–94.

Jiang C, Li B, Xu H. An efficient scheme for user authentication inwireless sensor networks. In: Proceedings of 21st internationalconference on advanced information networking andapplications workshops; 2007. p. 438–42.

Koblitz N. Elliptic curve cryptosystem. Mathematics ofComputation 1987;48:203–9.

Li F, Xin X, Hu Y. Identity-based broadcast signcryption.Computer Standard and Interfaces 2008;30:89–94.

Liao YP, Wang SS. A secure and efficient scheme of remote userauthentication based on bilinear pairings. In: Proceedings of2007 IEEE region 10 conference; 2007. p. 1–4.

Miller VS. Use of elliptic curves in cryptography. In: Advances incryptology, proceedings of CRYPTO’85, vol. 218. LNCS,Springer-Verlag; 1986. p. 417–26.

Rivest RL, Shamir A, Adleman L. A method for obtaining digitalsignatures and public key cryptosystems. Communications ofthe ACM 1978;21(2):120–6.

Shamir A. Identity based cryptosystems and signature schemes.In: Proceedings of CRYPTO’ 84. LNCS, Springer-Verlag; 1984.p. 47–53.

Tian X, Wong DS, Zhu RW. Analysis and improvement ofauthenticated key exchange protocol for sensor networks.IEEE Communications Letters 2005;9(11):970–2.

Wu ST, Chiu JH, Chieu BC. ID-based remote authentication withsmart cards on open distributed system from elliptic curvecryptography. In: Proceedings of IEEE international conferenceon electro information technology; 2005.

Jen-Ho Yang received the BS degree in

computer science and information engi-

neering from I-Shou University, Kaosh-

iung, Taiwan in 2002. He is currently

pursuing his Ph.D. degree in computer

science and information engineering

from National Chung Cheng University,

Chiayi, Taiwan. His current research

interests include electronic commerce,

information security, cryptography,

mobile communications, and fast modular multiplication

algorithm.

Chin-Chen Chang received his BS degree

in applied mathematics in 1977 and the

MS degree in computer and decision

sciences in 1979, both from the National

Tsing Hua University, Hsinchu, Taiwan.

He received his Ph.D in computer engi-

neering in 1982 from the National Chiao

Tung University, Hsinchu, Taiwan. Since

February 2005, he has been a Chair

Professor of Feng Chia University. In

addition, he has served as a consultant to several research

institutes and government departments. His current research

interests include database design, computer cryptography,

image compression and data structures.