c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3
ava i lab le a t www.sc iencedi rec t .com
journa l homepage : www.e lsev ier . com/ loca te /cose
An ID-based remote mutual authentication with keyagreement scheme for mobile devices on ellipticcurve cryptosystem
Jen-Ho Yanga, Chin-Chen Changa,b,*aDepartment of Computer Science and Information Engineering, National Chung Cheng University, 160 San-Hsing, Ming-Hsiung,
Chiayi 621, Taiwan, ROCbDepartment of Information Engineering and Computer Science, Feng Chia University, 100 Wenhwa Rd., Seatwen, Taichung 40724,
Taiwan, ROC
a r t i c l e i n f o
Article history:
Received 21 August 2008
Accepted 26 November 2008
Keywords:
ID-based
Mutual authentication
Key agreement
Elliptic curve
Cryptosystem
* Corresponding author. Department of InfSeatwen, Taichung 40724, Taiwan, ROC. Tel
E-mail addresses: [email protected] (J0167-4048/$ – see front matter ª 2008 Elsevidoi:10.1016/j.cose.2008.11.008
a b s t r a c t
Recently, remote user authentication schemes are implemented on elliptic curve crypto-
system (ECC) to reduce the computation loads for mobile devices. However, most remote
user authentication schemes on ECC are based on public-key cryptosystem, in which the
public key in the system requires the associated certificate to prove its validity. Thus, the
user needs to perform additional computations to verify the certificate in these schemes. In
addition, we find these schemes do not provide mutual authentication or a session key
agreement between the user and the remote server. Therefore, we propose an ID-based
remote mutual authentication with key agreement scheme on ECC in this paper. Based
upon the ID-based concept, the proposed scheme does not require public keys for users
such that the additional computations for certificates can be reduced. Moreover, the
proposed scheme not only provides mutual authentication but also supports a session key
agreement between the user and the server. Compared with the related works, the
proposed scheme is more efficient and practical for mobile devices.
ª 2008 Elsevier Ltd. All rights reserved.
1. Introduction In electronic transactions, remote user authentication in
With the rapidity of the development on electronic tech-
nology, various mobile devices (e.g., cell phone, PDA, and
notebook PC) are produced to make human life more conve-
nient. It also changes some traditional transactions into
electronic transactions. Due to the mobile devices are
portable, people can accomplish the electronic transactions
by mobile devices anytime and anywhere. Moreover, the
merchant can reduce the cost without maintaining a physical
store. Thus, more and more electronic transactions for mobile
devices are implemented on Internet or wireless networks.
ormation Engineering an.: þ8864 24517250x3790; f.-H. Yang), [email protected] Ltd. All rights reserved
insecure channel is an important issue. For example, when
a user wants to login a remote server and access its services,
such as on-line shopping and pay-TV, both user and server
must authenticate the identity with each other for the fair
transaction. Generally, the remote user authentication can be
implemented by the traditional public-key cryptosystems
(PKC), such as Rivest et al. (1978) and ElGamal (1985). However,
PKC needs to compute the modular exponentiation, which is
a time-consuming operation. In addition, the computation
ability and battery capacity of mobile devices are limited.
Therefore, the PKC-based remote authentication schemes are
d Computer Science, Feng Chia University, 100 Wenhwa Rd.,ax: þ886 27066495.u.tw (C.-C. Chang)..
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3 139
not suitable for mobile devices. To solve the above problems,
various authentication schemes based on elliptic curve cryp-
tosystem (ECC) are proposed (Abichar et al., 2007; Choie et al.,
2005; Cao et al., 2008; Chen and Song, 2007; Jiang et al., 2007; Jia
et al., 2006; Liao and Wang, 2007; Tian et al., 2005; Wu et al.,
2005).
ECC was first proposed by Miller (1986) and Koblitz (1987),
and its security was based upon the difficulty of elliptic curve
discrete logarithm problem (ECDLP). Compared with PKC, ECC
offers a better performance because it can achieve the same
security with a smaller key size. For example, 160-bit ECC and
1024-bit RSA have the same security level in practice (Han-
kerson et al., 2004). Thus, ECC-based authentication schemes
are more suitable for mobile devices than PKC-based ones.
However, ECC-based authentication schemes still have some
disadvantages while they are implemented on mobile devices.
Like PKC, ECC also needs a key authentication center (KAC) to
maintain the certificates for users’ public keys. When the
number of users is increased, KAC needs a large storage space
to store users’ public keys and certificates. In addition, users
need additional computations to verify the other’s certificate
in these schemes (Abichar et al., 2007; Chen and Song, 2007;
Jiang et al., 2007; Jia et al., 2006; Liao and Wang, 2007; Tian
et al., 2005). This causes the computation loads and the energy
costs of mobile devices very high.
To solve the above problems, several ID-based authenti-
cation schemes on ECC are proposed (Choie et al., 2005; Cao
et al., 2008; Wu et al., 2005). The ID-based concept was first
introduced by Shamir (1984). In an ID-based scheme, the user
utilizes his unique identity (e.g., name, address, or email
address) as his public key. Thus, the user cannot claim that
the authentication information containing his identity does
not belong to him. Without public keys, the users do not need
to perform additional computations to verify the corre-
sponding certificates. Moreover, KAC does not need to main-
tain a large public-key table because there is no public key in
the ID-based schemes. However, the previous ID-based
authentication schemes on ECC (Choie et al., 2005; Wu et al.,
2005) are constructed by using bilinear pairings, which is an
expensive operation (Cao et al., 2008). For mobile devices, the
computation and energy costs of the pairing-based schemes
are higher than those of ECDLP-based schemes.
On the other hand, we also find some disadvantages in the
previous user authentication schemes on ECC. That is, some of
these schemes do not provide the mutual authentication
(Chen and Song, 2007; Jiang et al., 2007; Jia et al., 2006; Wu et al.,
2005) or the session key agreement (Cao et al., 2008; Chen and
Song, 2007; Jia et al., 2006; Wu et al., 2005) between the user and
the server. For some applications, the user and the server need
a session key to encrypt the secret information for the
subsequent communications after they authenticate with
each other. According to the above descriptions, we propose
an ID-based remote mutual authentication with key agree-
ment scheme based upon ECC in this paper. The main
contributions of the proposed scheme are shown as follows.
1. Efficiency: Compared with the pairings-based authentica-
tion schemes, the proposed scheme has less computation
loads for mobile devices because it is based upon the
computation of point multiplication on ECC. Moreover, the
proposed scheme does not need to perform additional
computations to verify the certificates because it is con-
structed by the ID-based concept. Without additional
computations for certificate, the energy costs and compu-
tation loads of mobile devices can be reduced. Therefore,
the proposed scheme provides efficiency for the users of
mobile devices.
2. Reliability: For the security considerations, both the user
and the server need to check the other party’s validity in
electronic transactions. However, some of the previous
authentication schemes on ECC only allow the server to
authenticate the user’s identity. This causes that an
attacker can easily impersonate the server to steal the
user’s secret information. To solve this problem, the
proposed scheme provides the mutual authentication
between the user and the server. Therefore, the mutual
authentication in the proposed scheme provides the reli-
ability between user and the server.
3. Flexibility: Some of the previous authentication schemes on
ECC only provide the user authentication without a session
key agreement for users and a remote server. Thus, these
schemes can be only implemented to the remote login
system. For some applications, such as on-line shopping
and pay-TV, it is necessary to share a session key between
the user and the server for the subsequent transactions
after they mutually authenticate with each other. However,
the proposed scheme not only accomplishes the mutual
authentication but also provides a session key agreement
between a user and the remote server. Thus, the proposed
scheme is flexible for many applications.
4. Scalability: Based upon the ID-based concept, the proposed
scheme utilizes each user’s unique identity to accomplish
the user authentication. Thus, the server does not need to
maintain a large public-key table while the number of users
becomes very large. Because the user authentication just
involves user’s identity, the server can easily confirm that
a user is valid according to his identity. That is, the server
can offer its services to a large number of users such that it
can make more profits in electronic transactions. There-
fore, the proposed scheme provides high scalability for the
user addition in electronic transactions.
The rest of our paper is organized as follows. First, the basic
concept of ECC and Tian et al.’s authentication scheme on ECC
(Tian et al., 2005) are presented in Section 2. Then, the
proposed scheme is shown in Section 3. The security and
performance analyses are discussed in Section 4. Finally, the
conclusions are given in Section 5.
2. Preliminaries
In this section, we first introduce the basic concepts of ECC.
Then, we review Tian et al.’s remote user authentication
scheme on ECC (Tian et al., 2005).
2.1. Elliptic curve cryptosystem (ECC)
An elliptic curve is a cubic equation of the form
y2þ axyþ by¼ x3þ cx2þ dxþ e, where a, b, c, d, and e are real
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3140
numbers. In an elliptic curve cryptosystem (ECC), the elliptic
curve equation is defined as the form of Ep(a, b):
y2¼ x3þ axþ b(mod p) over a prime finite field Fp, where a,
b˛Fp, p> 3, and 4a3þ 27b2 s 0(mod p) (Hankerson et al.,
2004). Given an integer s˛F�p and a point P˛Ep(a, b), the point-
multiplication s$P over Ep(a, b) can be defined as
s$P ¼ PþPþ/þP|fflfflfflfflffl{zfflfflfflfflffl}
s times
. More details of ECC definitions can be found in
Hankerson et al. (2004). Generally, the security of ECC relies on
the difficulties of the following problems (Li et al., 2008).
Definition 1. Given two points P and Q over Ep(a, b), the elliptic
curve discrete logarithm problem (ECDLP) is to find an integer
s˛F�p such that Q¼ s$P.
Definition 2. Given three points P, s$P, and t$P over Ep(a, b) for
s; t˛F�p, the computational Diffie–Hellman problem (CDLP) is to
find the point (s$t)$P over Ep(a, b).
Definition 3. Given two points P and Q¼s$Pþ t$P over Ep(a, b)
for s; t˛F�p, the elliptic curve factorization problem (ECFP) is to
find two points s$P and t$P over Ep(a, b).
Up to now, there is no algorithm to be able to solve any of
the above problems (Li et al., 2008).
2.2. Tian et al.’s authentication with key agreementscheme on ECC
In this subsection, we introduce Tian et al.’s authentication
with key agreement scheme on ECC (Tian et al., 2005). There
are three participants in Tian et al.’s scheme: user A, user B,
and the certificate authority (CA). In their scheme, A and B
want to authenticate with each other and share a session key.
Moreover, CA is responsible for initializing the system
parameters and generating the certificates of A and B. First, CA
chooses an elliptic curve equation Ep(a, b) that is defined in
Subsection 2.1. Note that the order of Ep(a, b) is n. Then, CA
selects a public point P with the order n over Ep(a, b) and
computes its private/public key pair (qCA, QCA) by QCA¼ qCA$P.
Here, we define some parameters used in Tian et al.’s scheme
as follows: H($) is a public one-way hash function with 160-bit
input size, and ‘‘jj’’ is a binary string concatenation operation.
In addition, KDF($) and MAC($) are denoted as a secure key
derivation function and message authentication code func-
tion (Tian et al., 2005), respectively. Now, we introduce Tian
et al.’s scheme as follows.
2.2.1. Certificate generation phase
Step 1. User A chooses an integer gA˛Z�p to compute GA¼ gA$P.
Then, A sends his identity IDA and GA to CA.
Step 2. CA chooses a random integer gCA˛Z�p to compute
GCA¼ gCA$P and GA ¼ GA þ GCA. Then, CA computes
cerA ¼ ðQCA; IDA;GA;TAÞ as A’s certificate, where TA is
the expiration time of cerA. Finally, CA computes
cer0A ¼ HðcerAÞ and sA ¼ gCA$cer0A þ qCAmod n. Then,
CA publishes cerA and sends sA to user A.
Step 3. User A computes cer0A ¼ HðcerAÞ and qA ¼ sAþgA$cer0A mod n, where qA is his private key. Then,
A computes his public key by QA¼ qA$P. Finally, A
checks if QA ¼ cer0A$GA þ QCA holds. If the equation
holds, A accepts this certificate. Otherwise, he
rejects it.
Similarly, user B can obtain its private/public key pair (qB,
QB) and the corresponding certificate cerB ¼ ðQCA; IDB;GB;TBÞaccording to the above steps.
2.2.2. Authentication with key agreement phase
Step 1. User A confirms the validity of B’s public key by
checking if the equation QB ¼ cer0B$GB þ QCA holds.
Similarly, B confirms the validity of A’s public key by
checking if QA ¼ cer0A$GA þ QCA holds.
Step 2. User A randomly chooses a k-bit integer rA and
a redundant string l to compute m ¼ ðrAjjlÞ, where k is
a system-wide security parameter. Then, A selects an
integer dA˛Z�p to compute DA¼ dA$P and DB¼ dA$QB.
Finally, A computes m0 ¼m 4 DB$x and sends (DA, m0)
to B, where DB$x is the x coordinate of point DB over
Ep(a, b).
Step 3. User B computes DB¼ qB$DA and m¼m0 4 DB$x. Then, B
can obtain rA from the most significant k bits of m.
And, B randomly chooses a k-bit integer rB to compute
y ¼ ErA ðIDBjjrBÞ, where ErA ð$Þ is a secure symmetric
encryption cryptosystem by using symmetric key rA.
To obtain the session key K, A also computes
MacKjjK¼KDF(rAjjrBjjIDAjjIDB), where MacK is the
message authentication code of K. Note that the
lengths of MacK and K are pre-defined. Finally, user B
sends y to user A.
Step 4. User A decrypts y ¼ ErA ðIDBjjrBÞ by using rA to obtain rB.
Thus, A can compute MacKjjK¼KDF(rAjjrBjjIDAjjIDB) to
obtain the session key K. Then, A computes
z¼ qAH(MacK )$QAþ dA mod n and sends z to B.
Step 5. User B checks if z$P¼H(MacK )þDA holds. If the
equation holds, B computes z0 ¼MACMacK(IDBjjIDA)
and sends it to A. Otherwise, the protocol is
terminated.
Step 6. User A checks if z0 is valid. If z0 is valid, A accepts the
session key K. Otherwise, the protocol is terminated.
According to Tian et al.’s scheme, we find that the user
authentication scheme on ECC using the public key has the
following disadvantages. First, CA needs a large storage space
to keep all users’ public keys and certificates if the number of
users becomes large. Second, the users need additional
computations to verify the others’ certificates. These disad-
vantages make their authentication schemes on ECC unsuit-
able for mobile devices. To overcome these disadvantages, we
propose an ID-based remote mutual authentication with key
agreement scheme for mobile devices on ECC in the next
section.
3. The proposed scheme
The proposed scheme provides the mutual authentication
and a session key agreement between a user U and a remote
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3 141
server S. Note that the server is responsible for initializing the
system parameters and distributing a secret key to each user.
The proposed scheme is divided into three phases: system
initialization phase, user registration phase, and mutual
authentication with key agreement phase. Now, we present
our scheme as follows.
3.1. System initializing phase
Step 1. The server chooses an elliptic curve equation Ep(a, b)
with order n, which is defined in Subsection 2.1.
Step 2. The server S selects a base point P with the order n over
Ep(a, b), where n is a large number for the security
considerations. Then, S derives its private/public key
pair (qS, QS) by computing QS¼ qS$P.
Step 3. The server chooses three secure one-way hash
functions H1($):{0, 1} / GP, H2ð$Þ : f0;1g/Z�p, and
H3ð$Þ : f0;1g�/Z�p, where GP is a cyclic addition group
that is generated by P over Ep(a, b).
Step 4. The server keeps qS in private and publishes {Ep(a, b), P,
Qs, H1($), H2($), H3($)}.
3.2. User registration phase
Step 1. The user U sends his identity IDU to the server.
Step 2. The server S computes AIDU ¼ qS$H1ðIDUÞ˛GP, where
AIDU is the authentication key for the user U. Then, S
sends AIDU to U in a secure channel.
Step 3. After receiving AIDU , U checks if AIDU $P ¼ QS$H1ðIDUÞholds. If the equation holds, U keeps AIDU in private.
Fig. 1 – Mutual authentication with key agreement phase.
3.3. Mutual authentication with key agreement phase
Step 1. The user U randomly chooses apoint RU¼ (xU, yU)˛Ep(a, b),
where xU and yU are x and y coordinates of point RU,
respectively. Then, U computes t1¼H2(T1), MU ¼ RUþt1$AIDU and RU ¼ xU$P, where T1 is a timestamp denotes
the current time. Finally, U sends ðIDU;MU;RU;T1Þ to the
server.
Step 2. After receiving ðIDU;MU;RU;T1Þ, the server S computes
QIDU ¼ H1ðIDUÞ, t1¼H2(T1) and R0U ¼ MU � qS$t1$QIDU to
obtain QIDU ¼ ðxQ ; yQ Þ and R0U ¼ ðx0U; y0UÞ. Then, S checks
if RU ¼ x0U$P holds. If the equation holds, the server
confirms that U is valid and x0U ¼ xU. Otherwise, the
protocol is terminated.
Step 3.The server S randomly chooses a point RS¼ (xS, yS)˛Ep(a, b), and then it computes t2¼H2(T2) and
MS ¼ RS þ t2$qs$QIDU . Then, S computes the session key
k by the equation k¼H3(xQ, xU, xS). Finally, S computes
Mk¼ (kþ xS)$P and sends (MS, Mk, T2) to U.
Step 4. After receiving (MS, Mk, T2), the user U computes
QIDU ¼ H1ðIDUÞ, t2¼H2(T2), and R0S ¼ MS � t2$AIDU to
derive QIDU ¼ ðxQ ; yQ Þ and R0U ¼ ðx0S; y0SÞ. Then, U
computes the equations k0 ¼ H3ðxQ ; xU; x0SÞ and
M0k ¼ ðk0 þ x0SÞ$P to check if M0k ¼ Mk holds. If the equa-
tion holds, U can confirm that S is valid and the session
key k0 is equal to k. Otherwise, the protocol is
terminated.
Fig. 1 shows mutual authentication with key agreement
phase of the proposed scheme.
Basically, the proposed authentication scheme is based
upon elliptic curve discrete logarithm problem (ECDLP) and
the elliptic curve factorization problem (ECFP). Thus, only
point-multiplication operations on elliptic curve are required
in the proposed scheme. Compared with the pairing-based
authentication schemes (Choie et al., 2005; Jia et al., 2006; Liao
and Wang, 2007; Wu et al., 2005), the proposed scheme is more
efficient because the bilinear-pairing operation is more
expensive than point-multiplication operation on ECC (Cao
et al., 2008). Besides, the proposed scheme is constructed by
ID-based concept and it utilizes user’s unique identity IDU to
compute AIDU for mutual authentication. Thus, the mutual
authentication between the user and the server can be
accomplished without using public keys. In addition, the users
and the server do not need to perform additional computa-
tions for verifying the other party’s certificates. Therefore, the
proposed scheme provides efficiency.
Up to now, some remote user authentication schemes on
ECC (Chen and Song, 2007; Jiang et al., 2007; Jia et al., 2006; Wu
et al., 2005) only allow the server to authenticate the users’
identities. On the contrary, the users cannot authenticate the
validity of the server. Thus, an attacker can easily imper-
sonate the server to steal the user’s secret information in
these schemes. According to the mutual authentication with
key agreement phase, only the valid user and server can solve
the other party’s random points RU and RS in the proposed
scheme. That is, both the user and the server can authenticate
the other party’s validity. Thus, our scheme supports mutual
authentication and it provides the reliability for the user and
the server both.
According to our investigations, some authentication
schemes on ECC (Cao et al., 2008; Chen and Song, 2007; Jia
et al., 2006; Wu et al., 2005) do not provide the session key
agreement for the users and the server. Thus, theses schemes
can be only applied to remote login systems. However, our
scheme not only accomplishes the mutual authentication but
also provides a session key between the user and the server.
That is, our scheme can be applied to many applications, such
as on-line shopping and pay-TV. In these applications,
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3142
a session key is necessary for the subsequent communica-
tions between the user and the server after they complete the
mutual authentication. Therefore, the proposed scheme
provides flexibility for many applications in electronic
transactions.
In the proposed scheme, the authentication key
AIDU ¼ qS$H1ðIDUÞ˛GP is constructed by user’s identity IDU and
the server’s secret key qS. That is, whatever the number of
users is, the server only keeps its secret key qS and uses the
user’s identity to compute AIDU for user authentication. While
a new user is added in the system, the server does not need to
keep his password or public key in the storage space. There-
fore, the proposed scheme provides high scalability for the
user addition such that it is very practical for the applications
with large number of users.
4. The discussions
In this section, we discuss the security of the proposed
scheme and the comparisons of some related schemes. Now,
we present some possible attacks to analyze the security of
the proposed scheme.
4.1. Security analyses
4.1.1. Outsider attackAssume that an attacker wants to derive the secret informa-
tion in the system, and then he eavesdrops the communica-
tions between the user and the server. Thus, the attacker can
collect ðIDU;MU;RU;T1Þ and (MS, Mk, T2). To obtain the user’s
authentication key AIDU and the server’s secret key qS, he
needs to compute AIDU and qS from MU ¼ RU þ t1$AIDU or
MS ¼ RS þ t2$qs$QIDU . However, this attack is infeasible because
he must face the difficulty of elliptic curve discrete logarithm
problem (ECDLP) and the elliptic curve factorization problem
(ECFP). According to Subsection 2.1, there is no algorithm to be
able to solve these problems. Similarly, the attacker cannot
derive the session key k from Mk¼ (kþ xS)$P because he must
face the difficulty of ECDLP.
4.1.2. Replay attackAssume that an attacker collects the information once being
transferred between the user and the server. Then, the
attacker may use the pre-collected information ðMU;RUÞ to
Table 1 – Comparisons of the related works.
Properties
Tian et al. (2005),Hankerson et al. (2004)
Wu et al.Shamir
Mutual authentication Yes No
Key agreement Yes No
Certificate computations Yes No
Pairings computations NO Yes
Computation costs 3PMþ 1PAþ 1SD 3PMþ 1PA
Communication rounds 4 2
PM: Elliptic curve point multiplication; PA: Elliptic curve point addition; S
pretend that he is the user U. Thus, the attacker sends
ðIDU;MU;RU;T01Þ to the server, where T01 denotes the current
time. However, this attack cannot work since
MU ¼ RU þ t1$AIDU is generated by the past time t1¼H2(T1)
instead of the current time t01 ¼ H2ðT01Þ. When the server uses
T0
1 to computes t01 ¼ H2ðT01Þ and R0U ¼ MU � qS$t01$QIDU , the veri-
fication equation RU ¼ x0U$P does not hold in Step 2 of the
mutual authentication with key agreement phase. This is
because MU � qS$t01$QIDU sMU � qS$t1$QIDU such that R0UsRU.
Similarly, an attacker cannot use the pre-collected informa-
tion (MS, Mk) to pretend that he is the server S because MS
contains the past timestamp T2. Therefore, the replay attack is
infeasible for the proposed scheme.
4.1.3. Impersonation attackAssume that an attacker wants to impersonate a legal user U,
and he randomly chooses R00U ¼ ðx00U; y00UÞ˛Epða;bÞ and A00IDUto
compute M00U ¼ R00U þ t1$A00IDUand R00U ¼ x00U$P. Then, the attacker
sends ðIDU;M00U;R00U;T1Þ to the server for authentication.
However, the server cannot obtain R00U ¼ ðx00U; y00UÞ from
R0U ¼ M00U � qS$t1$QIDU ¼ M00U � t1$AIDU since M00U is generated by
A00IDUinstead of AIDU . Because of R00Usx0U$P, the attacker can be
found that he is an illegal user by the server. Similarly, an
attacker cannot impersonate the valid server because he does
not know the server’s secret key qS. Therefore, it is impossible
to perform the impersonate attack on our scheme.
4.2. Comparisons
Table 1 shows the comparisons of our scheme and the
previous authentication schemes on ECC. For simplicity, the
computation costs of Table 1 do not include the certificate
computations and pairings computations. Note that if the
scheme requires certificate computations or pairings compu-
tations, its computation costs in practice are larger than those
in Table 1. According to Table 1, our scheme not only provides
mutual authentication but also supports a session key
agreement. Moreover, our scheme does not need to perform
the certificate computations and pairings computations.
Moreover, the computation costs and the number of
communication rounds of our scheme is less than those of the
other schemes as shown in Table 1. From the above descrip-
tions, we conclude that our scheme is more efficient and
practical than the related schemes for the users of mobile
devices.
Schemes
(2005),(1984)
Jia et al.(2006)
Abichar et al. (2007),Rivest et al. (1978)
Ours
No Yes Yes
No Yes Yes
Yes Yes No
Yes No No
4PMþ 1PA 2PMþ 2PAþ 1MM 3PMþ 2PA
2 3 2
D: Symmetric-key decryption; MM: Modular multiplication.
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 1 3 8 – 1 4 3 143
5. Conclusions
In this paper, we propose an ID-based remote mutual
authentication scheme on ECC. Based upon ID-based concept,
the proposed scheme does not require additional computa-
tions for certificate. In addition, the proposed scheme is not
constructed by bilinear-pairings, which is an expensive
operation on elliptic curve. According to the comparisions in
Subsection 4.2, the proposed scheme is more efficient and
practical than the related works. In the future, we will inves-
tigate a remote mutual authentication scheme on ECC in
multi-server environments such that it can be applied to more
applications in electronic transactions.
r e f e r e n c e s
Abichar PE, Mhamed A, Elhassan B. A fast and secure ellipticcurve based authenticated key agreement protocol for lowpower mobile communications. In: Proceedings of the 2007international conference on next generation mobileapplications, services and technologies; 2007. p. 235–40.
Cao X, Kou W, Dang L, Zhao B. IMBAS: identity-based multi-userbroadcast authentication in wireless sensor networks.Computer Communications 2008;31:659–67.
Chen ZG, Song XX. A distributed electronic authentication schemebased on elliptic curve. In: Proceedings of the sixth internationalon machine learning and cybernetics; 2007. p. 2179–182.
Choie YJ, Jeong E, Lee E. Efficient identity-based authenticated keyagreement protocol from pairings. Applied Mathematics andComputation 2005;162:179–88.
ElGamal T. A public key cryptosystem and a signature schemebased on discrete logarithms. IEEE Transactions onInformation 1985;IT-31:469–72.
Hankerson D, Menezes A, Vanstone S. Guide to elliptic curvecryptography. New York, USA: LNCS, Springer-Verlag; 2004.
Jia Z, Zhang Y, Shao H, Lin Y, Wang J. A remote userauthentication scheme using bilinear pairings and ECC. In:Proceedings of the sixth international conference onintelligent system design and applications; 2006. p. 1091–94.
Jiang C, Li B, Xu H. An efficient scheme for user authentication inwireless sensor networks. In: Proceedings of 21st internationalconference on advanced information networking andapplications workshops; 2007. p. 438–42.
Koblitz N. Elliptic curve cryptosystem. Mathematics ofComputation 1987;48:203–9.
Li F, Xin X, Hu Y. Identity-based broadcast signcryption.Computer Standard and Interfaces 2008;30:89–94.
Liao YP, Wang SS. A secure and efficient scheme of remote userauthentication based on bilinear pairings. In: Proceedings of2007 IEEE region 10 conference; 2007. p. 1–4.
Miller VS. Use of elliptic curves in cryptography. In: Advances incryptology, proceedings of CRYPTO’85, vol. 218. LNCS,Springer-Verlag; 1986. p. 417–26.
Rivest RL, Shamir A, Adleman L. A method for obtaining digitalsignatures and public key cryptosystems. Communications ofthe ACM 1978;21(2):120–6.
Shamir A. Identity based cryptosystems and signature schemes.In: Proceedings of CRYPTO’ 84. LNCS, Springer-Verlag; 1984.p. 47–53.
Tian X, Wong DS, Zhu RW. Analysis and improvement ofauthenticated key exchange protocol for sensor networks.IEEE Communications Letters 2005;9(11):970–2.
Wu ST, Chiu JH, Chieu BC. ID-based remote authentication withsmart cards on open distributed system from elliptic curvecryptography. In: Proceedings of IEEE international conferenceon electro information technology; 2005.
Jen-Ho Yang received the BS degree in
computer science and information engi-
neering from I-Shou University, Kaosh-
iung, Taiwan in 2002. He is currently
pursuing his Ph.D. degree in computer
science and information engineering
from National Chung Cheng University,
Chiayi, Taiwan. His current research
interests include electronic commerce,
information security, cryptography,
mobile communications, and fast modular multiplication
algorithm.
Chin-Chen Chang received his BS degree
in applied mathematics in 1977 and the
MS degree in computer and decision
sciences in 1979, both from the National
Tsing Hua University, Hsinchu, Taiwan.
He received his Ph.D in computer engi-
neering in 1982 from the National Chiao
Tung University, Hsinchu, Taiwan. Since
February 2005, he has been a Chair
Professor of Feng Chia University. In
addition, he has served as a consultant to several research
institutes and government departments. His current research
interests include database design, computer cryptography,
image compression and data structures.