Mathematical and Computer Modelling 57 (2013) 2703–2717

Contents lists available at SciVerse ScienceDirect

Mathematical and Computer Modelling

journal homepage: www.elsevier.com/locate/mcm

Design of improved password authentication and update scheme based

on elliptic curve cryptography
SK Hafizul Islam ∗ , G.P. Biswas
Department of Computer Science and Engineering, Indian School of Mines, Dhanbad-826004, India

article info abstract

Article history: Secured password authentication and update of passwords are two essential requirements
Received 29 December 2010 for remote login over unreliable networks. In this paper, an elliptic curve cryptography
Received in revised form 29 June 2011 (ECC) based technique has been proposed that not only satisfies the above two
Accepted 1 July 2011
requirements, but also provides additional security requirements that are not available
in some schemes proposed so far. For instances, the Peyravian and Zunic’s scheme does
Keywords:
not provide the protection against the password guessing attack, server spoofing attack
Password authentication
Elliptic curve cryptography
and data eavesdropping attack. Although some modifications to remove these attacks have
Cryptographic hash function been proposed by Hwang and Yeh, Lee et al., it has been found that some attacks like
Impersonation attack replay attack, server spoofing attack, data eavesdropping attack, etc. are still possible.
Insider attack Subsequently, Hwang and Yeh’s scheme is further improved by Lin and Hwang, which
has been analyzed in this paper and certain security flaws have been identified. We have
attempted to remove these security flaws and proposed an ECC-based scheme that in
addition to the secured password authentication and password update, it protects several
related attacks efficiently. As a proof of our claim, the detailed security analysis of the
proposed scheme against the attacks has been given. One advantage of the proposed
scheme is that it generates an ECC-based common secret key that can be used for symmetric
encryption, which requires lesser processing time than the time required in the public key
encryption-based techniques.
© 2011 Elsevier Ltd. All rights reserved.

1. Introduction

Client authentication needs security for remote login while the client’s program tries to communicate with the
server’s program over insecure networks like Internet. The identity and a secret password of a client are used for mutual
authentication and access control; password can be compromised during transmission, if an efficient scheme is not followed.
Also some systems in a hostile network needs change of the client’s password periodically for the protection of the valuable
resources from adversary, and until a secured password change protocol that allows the client to change the old password
to a new password safely, the systems are not well protected. Basically there are four basic approaches based on public key
encryption, private key encryption, hash function and their combinations, to design password authentication and password
change scheme.
Lamport [1] suggested a hash-based password authentication scheme that mutually authenticates the client and the
server successfully, although it is immune from server’s data eavesdropping and impersonation attacks, but vulnerable to
reply attack, also its high hash computation and password resetting problem decreases its applicability for practical use.
The password authentication and password change protocols using only collision-resistant one-way hash function without

∗ Corresponding author. Tel.: +91 8797369160.

E-mail address: [email protected] (SK Hafizul Islam).

0895-7177/$ – see front matter © 2011 Elsevier Ltd. All rights reserved.
doi:10.1016/j.mcm.2011.07.001
2704 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717

encryption techniques proposed by Peyravian and Zunic [2], which is simple and straightforward for implementation as it
employs only a hash function. Later on, Lee et al. [3] shown that the scheme [2] suffers from off-line password guessing
attack and then proposed an improved version of the Peyravian and Zunic’s scheme, but Ku et al. [4] demonstrated that the
Lee et al.’s scheme has some security flaws such as denial of service attack (DoS), stolen-verifier attack and off-line password
guessing attack. In the year 2004, Yoon et al. [5] proposed an improvement of Lee et al.’s scheme, but it has been analyzed
by Ku et al. [6] that Yoon et al.’s scheme is still vulnerable to off-line guessing attack, stolen-verifier attack and their scheme
does not provide forward secrecy.
Again, Hwang and Yeh [7] mentioned that Peyravian and Zunic’s scheme also vulnerable to password guessing attack,
server spoofing attack and data eavesdropping attack and further made some improvements on Peyravian and Zunic’s
scheme using public key cryptosystem. Hwang and Yeh’s scheme can achieve mutual authentication and renovates the
security problems present in Peyravian and Zunic’s scheme but Ku et al. [8] shown that it cannot prevent the replay attack.
Later on, it has been made known by Lin and Hwang [9] that the Hwang and Yeh’s scheme suffers from DoS attack and does
not provides perfect forward secrecy and afterward proposed an improved scheme to take away above security pitfalls which
can accomplish mutual authentication and distribution of secret key between the client and the server. Again in the year
2006, Peyravian and Jeffries [10] enhanced the Peyravian and Zunic’s scheme; however, Shim [11] claimed that Peyravian
and Jeffries’s scheme suffers from off-line password guessing and DoS attacks. In 2006, Chang et al. [12] proposed a new
password authentication scheme based on symmetric key cryptosystem. However, application of symmetric key distribution
was a burden on the client as the symmetric key exchange is an immense challenge over the unreliable networks. Recently,
Zhu et al. [13] claimed that Hwang and Yah’s scheme still susceptible to replay attack, DoS attack, stolen-verifier attack and
impersonation attack and then proposed an enhanced scheme to eliminate the weaknesses of Hwang and Yeh’s scheme,
based on public key encryption/decryption with timestamp and salting technique. Zhu et al. used a hardware component,
called trusted platform module (TPM) [14], which safely stores the salt file in the hard disk of the client’s machine. However,
Zhu et al. have the serious clock synchronization problem due to timestamp, and the TPM puts a burden on the client.
Recently, several password-based remote user authentication protocols based on smartcard [15–22] has been
implemented for logging into the remote server. These protocols can provide mutual authentication between the client
and the server over an insecure network and the client can be authenticated by the remote server using an easy-memorable
password and without maintaining a password-verifier table and vice versa. But most of them are vulnerable to off-line
password guessing attack [22–25], impersonation attack [18,22,25,26], DoS attack [22,23,25], parallel session attack [24],
replay attack [23], etc. Except these attacks, the existing smartcard-based schemes are vulnerable to stolen/lost smartcard
attack [27], because some sensitive verifier and secret values stored in the smartcard which can be extracted by monitoring
their timing information, power consumption [25] and reverse engineering techniques as mentioned by Kocher et al. [28]
and Messerges et al. [29]. Therefore, if an adversary steals a smartcard of a legitimate client, he can use it to produce a
fabricated login message, and then impersonate as a legal client.
In this paper, the authors have analyzed Lin and Hwang’s [9] scheme and observed that the scheme is vulnerable to
insider attack, impersonation attack, known session-specific temporary information attack, many logged-in users’ attack
and stolen-verifier attack. In addition, session key distribution of the Lin and Hwang’s scheme is expensive because of
modular exponentiation, which is much more expensive than elliptic curve point multiplication [30]. Therefore, the key
distribution protocol of Lin and Hwang’s scheme has high computational cost. Apart from above, a secure remote login
scheme for password authentication, password change and distribution of secured session key have been proposed in this
paper using ECC with symmetric key cryptosystem for their implementation.
The rest of the paper is organized as follows. Section 2 gives the necessary technical backgrounds and a brief review of
the Lin and Hwang’s scheme is given in Section 3. In Section 4, we discussed the weaknesses of Lin and Hwang’s scheme
and the new scheme based on ECC has been proposed in the Section 5. Analyses of security and efficiency of the proposed
scheme is given in Section 6. Finally, Section 7 gives the concluding remarks.

2. Preliminaries

The elliptic curve cryptosystem [30] was initially proposed by Koblitz [31] and Miller [32] in 1985 to design public key
cryptosystem and presently it has turned out to be an integral part of the modern cryptography. The security of the ECC lies
on the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP), and it can achieve same security as of RSA
with the key of fewer bits [30]. An overview of ECC, computational problem on it and the bilinear pairings are given below.

2.1. Theory of elliptic curve

The equation of a non-singular elliptic curve Eq (a, b) over a finite field Zq (q > 3 and is a large prime number) can be
written as

y2 mod q ≡ x3 + ax + b(mod q) (1)

where a and b are two constant such that 4a3 + 27b3 ̸= 0 mod q must be satisfied for its non-singularity. Any point P (x, y) ∈
Eq (a, b), x, y ∈ Zq together with O, called ‘point at infinity’ forms an additive cyclic group E = {(x, y) ∈ Eq (a, b)} ∪ {O},
 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717 2705

where O serves as additive identity element of the group. The point multiplication is computed by repeated addition as,
k times
  
k · P = P + P · · · + P. A more details of elliptic curve group properties can be found in [30].

2.2. Computational problems

Definition 1 (Elliptic Curve Discrete Logarithm Problem (ECDLP)). Given Q , R ∈ E, find an integer k ∈ Z∗q such that R = kQ .

Definition 2 (Computational Diffie–Hellman Problem (CDHP)). Given (P , aP , bP ) for any a, b ∈ Z∗q , computation of abP is hard
to the group E.

Definition 3 (Decisional Diffie–Hellman Problem (DDHP)). Given (P , aP , bP , cP ) for any a, b, c ∈ Z∗q , decide whether or not
cP = abP, i.e. decide c = ab mod q or not.

2.3. Bilinear pairings

Let G1 denotes an additive group of prime order q, G2 is a multiplicative group of the same order and P is a generator of
G1 . Also let ê : G1 × G2 → G2 is an admissible mapping, which satisfies the following properties.
• Bilinearity: For any P , Q , R ∈ G1 then we have ê(P + Q , R) = ê(P , R) · ê(Q , R) and ê(P , Q + R) = ê(P , Q ) · ê(P , R).
Therefore, for any and a, b ∈ Zq∗ : ê(aP , bQ ) = ê(P , Q )ab = ê(abP , Q ) = ê(P , abQ ) holds.
• Non-degenerate: ê(P , P ) ̸= 1G2 , where 1G2 is the identity element of the group G2 .
• Computability: There is an efficient algorithm to compute ê(P , Q ) for any P , Q ∈ G1 .
In general, G1 is group of points on an elliptic curve, and G2 is a multiplicative subgroup of a finite field. The map ê will be
derived either from the modified Weil pairing or Tate pairing over a finite field. For more comprehensive description about
bilinear pairings, selection of suitable parameters, elliptic curves and these groups can be found in [33–35] for efficiency and
security.

3. Review of Lin and Hwang’s scheme

In this section, a brief description of the Lin and Hwang [9] scheme that contains three parts: password authentication,
password change and key distribution, are given below, where the following notations have been used (Table 1).
Now the Lin and Hwang’s scheme for password authentication, password change and distribution of secure session key
are given below.

3.1. Password authentication protocol

It consists of the following steps:

Step 1. Client → Server: id, {rc , pw}Ks .
Step 2. Server → Client: rc ⊕ rs , H (rs ).
Step 3. Client → Server: id, H (rc , rs ).
Step 4. Server → Client: Access Granted/Denied.
In brief, the server stores H (pw) instead of pw , to protect the password. During the password authentication, a client
selects a random number rc and encrypts rc and pw with server’s public key KS and sends the same with client’s id to the
server as shown in step 1. The server decrypts {rc , pw}Ks using its own private key and retrieves rc and pw , then compares
hashed result of extracted pw with H (pw), which stored in the server’s database. If the result is matched then the server
selects a random number rs , computes rc ⊕ rs and H (rs ) and sends back rc ⊕ rs and H (rs ) to the client. After receiving
rc ⊕ rs , H (rs ) from the server, the client XORed rc with rc ⊕ rs and retrieves rs . The client compares if the hashed value of
retrieved rs and received H (rs ), depending on this condition client computes the authentication token H (rc , rs ) and sends
back id, H (rc , rs ) to the server. Therefore, the server computes H (rc , rs ) using its own copies of rs and rc and compares with
received H (rc , rs ). If it is matched then the server sends a message ‘Access granted’ otherwise send an error message ‘Access
Denied’ to the client.

3.2. Password change protocol

The four steps of this protocol are given below:

Step 1. Client → Server: id, {rc , pw}Ks .
Step 2. Server → Client: rc ⊕ rs , H (rs ).
Step 3. Client → Server: id, H (rc , rs ), H (new _pw) ⊕ H (rc + 1, rs ), H (H (new _pw), rs )
Step 4. Server → Client: Access Granted/Denied.
2706 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717

Table 1
Notations are used in Lin and Hwang’s scheme.
Notations used Description

id Identity of the client, publicly known to all

pw Secret password of a client
Ks Public key of the server
{M }K s Encryption of the message M with the public key Ks
rc , rs Random numbers chosen by the client and the server respectively
q, g A large prime q, order of the group Zq and g is the generator of the cyclic group Zq∗
where the Diffie–Hellman problem is considered to be hard
x, y Random exponents chosen by the client and the server respectively
H (·) Collision-resistant one-way secure hash function
⊕ Bitwise XOR operator

Table 2
Notations are used in the proposed scheme.
Notations used Description

IDA Identity of the client A

pwA Secret password of the client A
ds Secret key of the server S
US Public key of the server S, where US = dS · G
UA Password-verifier of the client A, where UA = pwA · G
Kx Secret key computed either using K = pwA · US = (Kx , Ky ) or K = dS · UA = (Kx , Ky )
EKx (•) Symmetric encryption (AES) with Kx
G Bases point of the elliptic curve group of order n such that n · G = O, where n is a large prime number
H (•) A collision-resistant one-way secure hash function
rA /rS Random numbers chosen by the client/server from [1, n − 1] respectively
+/− Elliptic curve point addition/subtraction

If the client wants to change the old password pw to a new password new _pw , the client executes password change
protocol. The password change protocol is almost similar to the password authentication protocol but there is a minor
difference in step 3. In step 3 of password change protocol, if the authentication token H (rc , rs ) is validated, the server
computes H (rc + 1, rs ) and XORed it with H (new _pw) ⊕ H (rc + 1, rs ) to retrieve H (new _pw). Then the server replaces
H (pw) with H (new _pw), after validating the token H (H (new _pw), rs ).

3.3. Key distribution protocol

Let G is a finite cyclic group and g be the generator of order q, where q a large prime number. Let x, y are two elements of
Zq∗ chosen by client and server respectively and kept them secret for a session. The values of G, g , q and Zq∗ are made public.
The key distribution protocol is given below.
Step 1. Client → Server: id, {g x , pw}Ks .
Step 2. Server → Client: g x ⊕ g y , H (g y ).
Step 3. Client → Server: id, H (g x , g y ).
Step 4. Server → Client: Access Granted/Denied.
The common secret session key is then computed by the client and the server as (g x )y and (g y )x respectively.

4. Weaknesses of Lin and Hwang’s scheme

The cryptanalysis of the Lin and Hwang’s scheme [9] has been made in this section, and some of the common weaknesses
are given below.

4.1. Stolen-verifier attack

The stolen-verifier attack, which is described in [6,13], means that an outsider theft the password-verifier from the
server’s database and applies an off-line guessing attack on it to get the client’s exact password and hence, he can
impersonate as a legitimate client. In Lin–Hwang’s scheme [9], the client C registers to the remote server S with id, H (pw)
and S then stores the pair (id, H (pw)) to the database. The outsider A can successfully find out the C ’s password pw by
performing the following procedure.
Step 1. A steals H (pw) from the S’s database and tries to find out C ’s password pw by using an off-line password guessing
attack on stolen H (pw).
Step 2. A guess a password pw ′′ , computes H (pw ′′ ) and then compares the result with stolen H (pw).
 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717 2707

Fig. 1. Stolen-verifier attack in Lin–Hwang’s scheme.

Step 3. If H (pw ′′ ) = H (pw), then pw ′′ = pw i.e., A correctly guesses C ’s password. Otherwise, A can repeat the process until
to have the correct password pw . The correctness of the password can be checked by testing all possible passwords
from the search space |PW |, where PW is the set of all possible passwords and |·| represents the cardinality of the set.
It is known that a client generally chooses the weak password (low intensity) for easy memorization, so the space
|PW | is not large enough.
Therefore, the stolen-verifier attack is possible in Lin–Hwang’s scheme. The stolen-verifier attack in Lin–Hwang’s scheme
is illustrated in Fig. 1.

4.2. Insider attack

In insider attack as stated in [36,37], a client C may register with a number of servers S1 , S2 , . . . , Sn using a common
password pw and the identity id for his convenience, and if the privileged-insider U1 of S1 has the knowledge of C ’s pw and
id, then U1 may try to access other servers S2 , S3 , . . . , Sn by using the same pw and id. In Lin–Hwang’s scheme [9], initially
the remote server stores the pair (id, H (pw)) of the client C to the database. Thus the insider attack in Lin–Hwang’s scheme
may be done by using the following three steps:
Step 1. U1 steals the password-verifier H (pw) from the S1 ’s database.
Step 2. C chooses an easy-memorable password and therefore, it is not difficult for U1 to figure out C ’s password pw from
H (pw) by executing an off-line password guessing attack.
Step 3. U1 tries to use C ’s identity–password pair (id, pw ), follows the password authentication protocol of Lin–Hwang’s
scheme and can easily login to the other remote servers S2 , S3 , . . . , Sn .
The detailed description of this attack is given in the Fig. 2.

4.3. Impersonation attack

According to the impersonation attack in [7,13], it is found that Lin and Hwang’s scheme [9] is not free from this kind of
impersonation attack, a brief description of which is given now.
Step 1. Client C sends the authentication message (id, {rc , pw}Ks ) to S.
Step 2. The server S, on receiving the client C ’s authentication message (id, {rc , pw}Ks ), S decrypts {rc , pw}Ks with its own
private key and gets C ’s original password pw .
Step 3. If S is not trusted, then C ’s password pw may be compromised with an attacker A who may try to impersonate C to
login with S as described below:
2708 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717

Fig. 2. Insider attack in Lin–Hwang’s scheme.

3.1. A selects a random number rA , generates {rA , pw}Ks and sends the authentication message (id, {rA , pw}Ks ) to S.
3.2. Then S decrypts {rA , pw}Ks with his own private key, computes H (pw) and compares it H (pw) stored on the
database. Since computed H (pw) equal to the stored H (pw), so S selects a random number rS and replies with
the message (rA ⊕ rS , H (rS )) to A.
3.3. Then A retrieves rS by XORing rA with rA ⊕ rS , computes H (rS ) and compares it with received H (rS ). Now A
computes the message (id, H (rA , rS )) and sends it back to S.
3.4. S computes H (rA , rS ) from his own rS and received rA and compares it with received H (rA , rS ). Since computed
H (rA , rS )=received H (rA , rS ), so the server S allows the attacker A to access C ’s account into the server S.
In addition, if the private key of S is leaked accidentally to an adversary A, he can impersonate the client C after reveling
the C ’s password pw from the eavesdropped message (id, {rc , pw}Ks ) sent by C to S during password authentication phase.
Thus the Lin–Hwang’s scheme fails to protect this kind of impersonation attack. For clarity, the details of this attack are
given in Fig. 3.

4.4. Many logged-in users’ attack

The many logged-in users’ attack is defined as the simultaneous access of a legitimate client’s account in a remote server
by multiple adversaries using the same identity and password of the client. In Lin–Hwang’s scheme [9], the remote server
S stores identity, password-verifier pair (id, H (pw)) of the client C to the database. Assume C ’s legitimate id and pw is
accidentally exposed to the many adversaries A1 , A2 , . . . , Am , then all who knows id and pw , can login to the remote server
S, at the same time by executing the following steps:
Step 1. A1 , A2 , . . . , Am choose random numbers rA1 , rA2 , . . . , rAm and send the login requests (id, {rA1 , pw}Ks ), (id, {rA2 ,
pw}Ks ), . . . , (id, {rAm , pw}Ks ) to the S concurrently.
Step 2. S decrypts all the messages (id, {rA1 , pw}Ks ), (id, {rA2 , pw}Ks ), . . . , (id, {rAm , pw}Ks ) and gets the same iden-
tity–password pair (id, pw ). Thus S allows all of A1 , A2 , . . . , Am to login and access C ’s account concurrently.
This attack in Lin–Hwang’s scheme is further illustrated using a flow chart as given in Fig. 4.

4.5. Known session-specific temporary information attack

The detailed explanation about the known session-specific temporary information attack is given in [38–40]. Cheng
et al. [41], Mandt and Tan [42] argued that if the session ephemeral secrets are exposed to an adversary A accidentally,
then some authentication mechanism must be incorporated in the session key distribution protocol such that this exposure
should not compromise the resulting session key. According to the above discussions, we pointed out that Lin–Hwang’s
 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717 2709

Fig. 3. Impersonation attack in Lin–Hwang’s scheme.

scheme cannot resist the known session-specific temporary information attack. For instance, in Lin and Hwang’s scheme,
two ephemeral secrets x and y are selected by the client C and server S in each session respectively and compute the session
key SK = (g y )x = (g x )y = g xy . Now if these two ephemeral secrets x and y are compromised to A by some means, then A
can easily compute the session key using SK = (g x )y = g xy or SK = (g y )x = g xy . Hence, the Lin and Hwang’s scheme fails
to prevent the known session-specific temporary information attack. Further, we explain this attack in Fig. 5.

5. Proposed ECC-based scheme

In this section, we proposed an elliptic curve cryptosystem based improve remote login scheme which provides the
missing security provisions of Lin and Hwang’s scheme. The following notations are used through out the proposed scheme
(Table 2).
The proposed scheme consists of four phases—Registration phase, Password authentication phase, Password change
phase and Session key distribution phase. Now each of these phases is discussed below.

5.1. Registration phase

Initially, a client A must register to the server S with his own identity IDA and password-verifier UA and collects the
server’s public key US , then server stores each legal client’s identity, password-verifier, and a status-bit in a write protected
file as depicted in the Table 3, where the status-bit indicates the status of the client, i.e., when the client is logged-in to the
server the status-bit is set to one, otherwise it is set to zero.

5.2. Password authentication phase

The password authentication protocol consists of following four steps:

Step 1. Client → Server: IDA , EKx (IDA , RA , WA ).
The client A, keys his identity IDA and the password pwA into the terminal. The client selects a random number rA from
[1, n − 1], computes RA = rA · US and WA = (rA · pwA ) · G. Then encrypts (IDA , RA , WA ) using a symmetric key Kx and sends
it to the server. The encryption key Kx is the x coordinate of K = pwA · US = pwA · dS · G = (Kx , Ky ).
2710 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717

Fig. 4. Many logged-in users’ attack in Lin–Hwang’s scheme.

Table 3
The verifier table.
Identity Password-verifier Status-bit

IDA UA = pwA · G 0/1

IDB UB = pwB · G 0/1
IDC UC = pwC · G 0/1
... ... ...

Step 2. Server → Client: (WA + WS ), H (WS ).

The server computes the decryption key Kx by calculating K = dS · UA = pwA · dS · G = (Kx , Ky ) and then decrypts
EKx (IDA , RA , WA ) using Kx . Subsequently the server compares decrypted IDA with received IDA and ê(RA , UA ) with ê(WA , US ).
If all the conditions are satisfied, the server selects a random number rS and computes WS = rS · US = rS · dS · G. Then the
server sends (WA + WS ) and H (WS ) to the client.
Step 3. Client → Server: IDA , H (WA , WS ).
The client retrieves WS by subtracting WA from (WA + WS ). If the hashed result of retrieved WS is equal to the received
H (WS ), then the client performs the hash operation H (WA , WS ) and sends it to the server.
Step 4. Server → Client: Access Granted/Denied.
The server computes the hash value with own copies of WS and WA which is received from the client in step 2 and
compares it with received H (WA , WS ), to accept or denied the login request. If all of the conditions are satisfied then the
server granted the client’s login request, otherwise rejects the client login request.

5.3. Password change phase

Step 1. Client → Server: IDA , EKx (IDA , RA , WA )

Step 2. Server → Client: WA + WS , H (WS )
Step 3. Client → Server: IDA , H (WA , WS ), WA + UA′ , H (WS , UA′ )
Step 4. Server → Client: Password Change Granted/Denied.
If the client wants to change the old password pwA , to a new password pwA′ then the client computes the corresponding
password-verifier UA′ = pwA′ · G. In step 3, if the authentication token H (WA , WS ) was authenticated, then server subtracted
WA from WA + UA′ , to extract the new password-verifier UA′ . Now the server replaces UA with UA′ , if the hashed value of
(WS , UA′ ) and received H (WS , UA′ ) is same.
 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717 2711

Fig. 5. Known session-specific temporary information attack in Lin–Hwang’s scheme.

5.4. Session key distribution phase

Step 1. Client → Server: IDA , EKx (IDA , RA , WA )

Step 2. Server → Client: WA + WS , H (WS )
Step 3. Client → Server: IDA , H (WA , WS )
Step 4. Server → Client: Key distribution Granted/Denied.
In this protocol two random numbers rA and rS are chosen by the client and the server from [1, n − 1]. The client computes
the final session key as SK = (rA · pwA )· WS = rA · rS · pwA · dS · G and the server computes SK = (rS · dS )· WA = rA · rS · pwA · dS · G.
Now, we illustrate the proposed ECC-based scheme in Fig. 6.

5.5. Correctness of the proposed scheme

All the proposed methods as given above followed a bilinear pairing that assures the correctness of the scheme. The proof
of the bilinear pairing used, is given below. In order to proof ê(RA , UA ) = ê(WA , US ), we can rewrite
ê(RA , UA ) = ê(rA · ds · G, pwA · G) = ê(G, G)rA pwA ds
ê(WA , US ) = ê(rA · pwA · G, ds · G) = ê(G, G)rA pwA ds
Therefore, ê(RA , UA ) = ê(WA , US ).

6. Security and efficiency analysis of the proposed scheme

In this section, the security analysis of the proposed scheme is given for the validation of our claim. Furthermore, the
comparison of the proposed scheme with other related schemes is given for the performance study of our scheme.

6.1. Security analysis

The proposed scheme is free from all known cryptographic attacks and provides several security attributes as described
below.
2712 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717

Fig. 6. The proposed ECC-based remote login scheme.

 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717 2713

S1: Reply attack

Replay attack is an offensive action through which an adversary may impersonate the legitimate client by reusing the
information obtained from a previous run protocol. In the proposed protocol, WA is encrypted by a secret symmetric key Kx ,
and it can be computed only by the server’s and a legal client’s secret. If the adversary wants to impersonate the legitimate
client by replaying the older session message (IDA , EKx (IDA , RA , WA )), but he cannot obtain WA and WS , to know WA he has
to compute the symmetric key K = pwA · US = dS · UA = (Kx , Ky ), which is impossible, because the key can be computed
from private key dS of server and password-verifier UA of the client or password pwA of the client and public key US of the
server. If the adversary replies with the wrong message H (WA∗ , WS∗ ) in step 3, but the server can detect it comparing with
H (WA , WS ). So the proposed scheme can prevent this kind of replay attack.
S2: Password guessing attack
The password guessing attack is an important issue in any password-based remote user authentication scheme. In
practice, the client tries to use the weak password (low intensity) for easy memorization. The weak password can be easily
guessed by the adversary and using that password an adversary may impersonate the legal client. In the proposed protocol,
the server stores the password-verifier UA = pwA · G to a write protected file and the adversary cannot extract the password
pwA from UA as he has to solve the ECDLP [30], thus the password guessing attack is infeasible to the proposed scheme.
S3: Impersonation attack
Assume that an adversary makes an effort to impersonate the server to exchange a session key with the legal client. The
adversary intercepted the message EKx (IDA , RA , WA ) of previous run protocol. Now it is impossible for the adversary to figure
out WA from the message EKx (IDA , RA , WA ), because (IDA , RA , WA ) is encrypted by a symmetric secret key Kx , known to the
client and the server. Then the adversary replies with the wrong message (WA∗ + WS∗ , H (WS∗ )) as in step 3 to the client (here
WA∗ and WS∗ are randomly chosen by the adversary). Upon receiving the message (WA∗ + WS∗ , H (WS∗ )), the client compares
H (WA∗ + WS∗ − WA ) with H (WS∗ ) and they are not same. Therefore, the client terminates the key distribution protocol.
Accordingly the impersonation attack is infeasible in the proposed scheme.
S4: Denial of service attack
The server closes a login session if the number of login attempts of an account by an incorrect password exceeds a limit
value. Even so, such a client’s account is still workable and later login requests will pass as long as correct password is
provided. In Step 3 of the proposed password change protocol, suppose the adversary replaces (IDA , H (WA , WS ), WA +
UA′ , H (WS , UA′ )) with (IDA , H (WA , WS ), X , H (WS , UA′ )) and sends the later message to the server, where X is any arbitrary
random elliptic curve point. On receiving the message (IDA , H (WA , WS ), X , H (WS , UA′ )), the server computes X − WA and
H (WS , X −WA ), and compares the later value with received H (WS , UA′ ). But they are different, and therefore, the server rejects
the password change protocol with a failure message to the client. Therefore, the proposed protocol has the capability to
detect the denial of service attack.
S5: Many logged-in users’ attack
The proposed protocol can withstand the many logged-in users’ attack. Let us assume that the password pwA and the
login-id IDA of a legal client A, are leaked to more than one adversary. But in the proposed scheme only one adversary can
login the remote server at the same time out of all who know the valid password pwA and login-id IDA . When an adversary
logged-in by using the valid password pwA and login-id IDA , then the server sets the status-bit to one and meanwhile if
other adversaries try to login the server at the same time with same password pwA and login-id IDA , the server denies all
the requests because the status-bit indicates still someone is logged in.
S6: Server spoofing attack
Server spoofing attack means, an adversary may try to masquerade as a server to know the client’s long-term secret. The
long-term secret is the client’s password and server’s private key. The symmetric key K = pwA · US = dS · UA = (Kx , Ky )
cannot be computed without server’s secret key dS or password pwA of the client A. In Step 1 of password authentication
protocol, an adversary cannot obtains WA by decrypting (IDA , EKx (IDA , RA , WA )) with a wrong key, then the adversary cannot
get success in Step 2. By chance if the adversary knows the value of WA , but from it password extraction is impossible due
to difficulties of ECDLP. Therefore, an adversary cannot get success in the proposed protocol by server spoofing attack.
S7: Perfect forward secrecy
Perfect forward secrecy means, if the private key of the server and the password of the client are compromised then
the secrecy of previously established session keys should not be affected. Assume that the client’s password pwA and
server’s secret key dS are known to an adversary. The adversary can compute K = pwA · US = dS · UA = (Kx , Ky ) an
thus figure out WA and WS from the messages (IDA , EKx (IDA , RA , WA )) and (WA + WS , H (WS )), but he cannot derive the
session key SK = rA · rS · pwA · dS · G. To know the session key SK , the adversary tries to compute it from the pair
(WA , WS ) = (rA · pwA · G, rS · dS · G) directly, but it is impossible due to difficulties of computational Diffie–Hellman
problem. In other words, if the current session key is leaked but from this disclosure the adversary is unable to draw all the
past session keys, because the session key depends on random numbers rA and rS . Hence the proposed protocol provides
perfect forward security in the key distribution protocol.
S8: Insider attack
By stealing the password-verifier from the server’s verifier table, a privileged-insider of the server can access the other
servers (where the client is registered with same identity and password) by making a valid login request. The proposed
2714 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717

Table 4
Security comparisons of the proposed scheme with other remote login schemes.
Security attributes/Schemes S1 S2 S3 S4 S5 S6 S7 S8 S9

Peyravian–Zunic [2] Yes No [3] No [7] No [43] No No [7] – No –

Hwang–Yeh [7] No [8] No [13] No [13] No [9] No Yes No [9] No No
Lin–Hwang [9] Yes No No Yes No Yes Yes No No
Zhu [13] Yes Yes No Yes Yes Yes – Yes –
Proposed Yes Yes Yes Yes Yes Yes Yes Yes Yes
Yes: Prevent the attack; No: Unable to prevent the attack; –: Not supported by the scheme; No [i] Proof. is given in [i].

scheme maintains a password-verifier table, which contains client’s identity IDA and password-verifier UA = pwA · G. Now
it is computationally impossible to extract the password pwA from the verifier UA due to difficulties of ECDLP and hence
the adversary who steals UA , cannot generate the symmetric key Kx . Thus the privileged-insider may not impersonate the
legitimate client as he is unable to authenticate himself to the remote server without Kx and therefore, the insider attack is
infeasible to the proposed scheme.
S9: Known session-specific temporary information attack
In our proposed scheme, after the successful password authentication, the client and the server computes the session
key SK = rA · rS · pwA · dS · G. Suppose that the ephemeral secrets rA and rS are exposed to an adversary. However, it is
impossible derive the session key SK with the knowledge of rA and rS . Since the session key SK not only contains rA and rS
but also contains the client’s password pwA and server’s secret key dS . Therefore, to compute the session key the adversary
have to know pwA · dS · G. The computation of pwA · dS · G from the pair (UA , US ) = (pwA · G, dS · G) is equivalent to solve
the CDHP, which is hard to solve by a polynomial time algorithm. Thus the known session-specific temporary information
attack is not possible in the proposed scheme.
The Table 4 sums up certain cryptographic security attributes of the proposed scheme and some relevant schemes [2,7,
9,13], where it shows that our scheme prevents all related cryptographic attacks.
• Impersonation attack in Zhu’s scheme
In Zhu’s scheme [13], the client makes the registration request to the remote server with the identity id and H (pw, s),
where s is the salt generated by the client. Hence there is a possibility to compromise H (pw, s) with an outsider if
the server is not trusted. The outsider who knows H (pw, s), performs the password authentication just by selecting a
random number rc′′ , a fresh timestamp T ′′ and then sends the authentication message (id, EKs (rc ′′ , H (pw, s), T ′′ )) to the
remote server. The server then retrieves H (pw, s) after decrypting the message EKs (rc ′′ , H (pw, s), T ′′ ), computes the
hash value on H (pw, s) and compares with H (H (pw, s)) stored on server’s database. Therefore, the outsider successfully
impersonates a legitimate client to login with remote server.
• Many logged-in users’ attack in Peyravian–Zunic’s and Hwang–Yeh’s schemes
The Peyravian–Zunic’s [2] and Hwang–Yeh’s [7] schemes do not prevent the many logged-in users’ attack. In
Peyravian–Zunic’s scheme [2], the server stores (id, H (id, pw)) in the database for a client having identity id and password
pw . If client’s id and pw are leaked to multiple adversaries, then all who know id and pw follow the protected password
transmission protocol of Peyravian–Zunic’s scheme and can access the client’s account concurrently to the same server
in the same way as described in Section 4.4. Both the Hwang–Yeh’s scheme [7] and Lin–Hwang’s scheme [9] follow the
same client registration and password authentication procedures and since, as shown in Section 4.4, the Lin–Hwang’s
scheme cannot resist the many logged-in users’ attack, thus the Hwang–Yah’s scheme is also vulnerable to this attack.
• Insider attack in Peyravian–Zunic’s and Hwang–Yeh’s schemes
In practice, a client may register with a number of servers using same password pw and identity id. In
Peyravian–Zunic’s scheme [2], the server maintains a record (id, H (id, pw)) against the client in a database. Now a
privileged-insider of a remote server steals H (id, pw) and executes an off-line password guessing attack on it. Therefore,
the privileged-insider gets exact password pw and accesses other servers where the client is registered as a legal client.
So, the Peyravian–Zunic’s scheme is vulnerable to the insider attack. The Hwang–Yeh’s scheme [7] is also susceptible to
the insider attack. In the scheme, the server stores (id, H (pw)), and a privileged-insider upon stealing H (pw), applies an
off-line password guessing attack on H (pw) and can guess the exact password pw .
• Known session-specific temporary information attack in Hwang–Yeh’s scheme
In Hwang–Yah’s scheme [7], the client and the server, after the successful password authentication, compute the
session key by applying some mutually agreed function to session ephemeral secrets rc and rs . If these two secrets rc and
rs are leaked to an adversary by some means, then the resulting session key will be compromised. Therefore, the known
session-specific temporary information attack is possible in Hwang–Yah’s scheme.

6.2. Efficiency analysis

In this subsection, we summarize the following functional requirements which help to evaluate the efficiency of a remote
user authentication scheme. Each of these constraints is very crucial requirements for an efficient remote login scheme over
the unreliable networks.
 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717 2715

Table 5
Functionality comparisons of different remote login schemes with proposed scheme.
Efficiency/Schemes E1 E2 E3 E4 E5 E6 E7

Peyravian–Zunic [2] Yes Yes No Yes Prevented Not used Smaller

Hwang–Yeh [7] Yes Yes Yes Yes Prevented Not used Higher
Lin–Hwang [9] Yes Yes Yes Yes Prevented Not used Higher
Zhu [13] Yes Yes No Yes Not prevented Used Higher
Proposed Yes Yes Yes Yes Prevented Not used Smaller
Yes: Supported; No: Not supported.

E1: Mutual authentication

Client authentication may satisfy the necessary security requirements in the simple password-based remote login
system. However, in many situations where the highly confidential data are exchanged between client and server, which
means server authentication is also necessary to which client confidently communicates with the trusted server. Which
indicates a mutual authentication is needed between client and server. The proposed scheme provides such requirements
using three-way challenge–response handshake technique.
E2: Choosing friendly password by the client
Client can choose their password freely without any assistance from the remote server. In the proposed scheme an easy-
to-remember (low intensity) password pw is chosen by the client and the password-verifier U = pw G is stored to the
server’s database and from it pw cannot be derived due to the difficulty of ECDLP.
E3: Session key agreement
The proposed scheme supports the session key agreement technique, which helps to establish common and secure
session key between the client and the server in each session. With this session key, the client and the remote server can
exchange highly confidential data between them securely.
E4: Secure password change scheme
A legitimate client can change their password after the registration phase. The proposed scheme has a secure (without
DoS attack) password change scheme, i.e., the remote user can change/update their password any time.
E5: Clock synchronization problem
The problem of clock synchronization arises due to the time stamp used in a remote login system. Discard the timestamp
to avoid this problem. The Zhu et al.’s [13] scheme used the timestamp to provide the security against the replay attack.
However, the time stamp causes the clock synchronization problem, especially in the wide area network. It is better to
include some self-verified mechanism in the protocol which can detect the replay attack. Accordingly, the proposed scheme
and [2,7,9] passes up the usage of time stamp and prevents the clock synchronization problem by applying three-way
challenge–response technique.
E6: Extra hardware device
The scheme [13] prevents the off-line password guessing attack by employing the salting technique. To protect the salt
an extra hardware device, named trusted platform module (TPM) [14] is used. The salt file is encrypted by the Root of Trust
for Storage (RTS) or a storage key which is encrypted by the RTS, and stored on the hard disk of the client’s system. The usage
of TPM puts an extra burden trouble on the client. However, the proposed scheme and [2,7,9] provides fully software-based
solution; no extra hardware device is needed.
E7: Bandwidth requirements
The proposed scheme is implemented with ECC, and the symmetric key encryption/decryption technique is used,
whereas other schemes [7,9,13] used the public key encryption/decryption. As the symmetric key encryption is faster and
produces the cipher text of fewer bits than any public key encryption [30]. Thus the length of the transmitted message in
Step 1 of the proposed scheme is smaller than others [7,9,13]. Consequently, the bandwidth requirement of the proposed
scheme is smaller than Hwang–Yeh, Lin–Hwang and Zhu et al.’s scheme.
We provide a comparative study of different functional requirements of some existing schemes [2,7,9,13] with the
proposed scheme, as shown in Table 5. Note that our scheme satisfies all above-mentioned requirements.
The key distribution protocol of Lin and Hwang’s scheme uses Diffie–Hellman key exchange algorithm [44] and since the
random challenges g x and g y requires executing modular exponential (MEXP), which is an expensive operation and the Lin
and Hwang’s scheme applies public key encryption/decryption technique. The public key encryption/decryption is slower
operation compared with symmetric key operation and the computation cost of elliptic curve point multiplication is much
less than that of modular exponentiation [45]. This is because 160-bit ECDLP and 1024-bit discrete logarithm problem (DLP)
have the same security level [30]. Therefore, the Lin and Hwang’s scheme has high computation cost. The proposed protocol
reduces the communication, computation and storage space costs as the ECC and symmetric key encryption/decryption
are used. It is to be noted that the proposed scheme uses the general cryptographic hash function and instead the XOR
operation, elliptic curve multiplication/addition (EPM/EAD) is used, which is quite slower than XOR operation, but instead
public key encryption (having slower processing speed) the symmetric key encryption (faster) is used. Therefore, overall
computation cost of the proposed scheme is lower than others [7,9,13]. A comparative study in terms of the different
2716 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717

Table 6
List of different operations and encryption/decryption is used and the overall computation cost of different schemes.
Schemes Operations used Encryption/decryption Overall computation cost ECC is used

Peyravian–Zunic [2] Hash, XOR Not used Low No

Hwang–Yeh [7] Hash, XOR Public key High No
Lin–Hwang [9] Hash, XOR, MEXP Public key High No
Zhu [13] Hash, XOR Public key High No
Proposed Hash, EPM, EAD Symmetric key Low Yes

operations and encryption/decryption used and overall computation cost in different schemes such as Peyravian–Zunic [2],
Hwang–Yeh [7], Lin–Hwang [9], Zhu et al. [13] and the proposed scheme is given in Table 6. From the security analysis and
efficiency discussion, it is obvious that the proposed scheme is efficient, secure and user friendly.

7. Conclusion

In this paper, an ECC-based secure and efficient scheme for password authentication and update used in remote login
system is proposed. A protocol for distribution of session key among the client and server is also proposed. It is found that
the proposed scheme improves the Lin and Hwang’s scheme and also removes the security flaws of Zhu et al.’s scheme like
impersonation attack, clock synchronization problem, etc. The proposed scheme supports the generation of the symmetric
key, which can be used for confidential exchange of messages using symmetric key encryption technique. The security
analysis of the proposed scheme is given and confirms the protection against all related attacks.

Acknowledgments

The authors would like to thank the anonymous reviewers and editors who helped to improve this work. The first author,
SK Hafizul Islam, is working as a fulltime research scholar (Reg. No 2010DR0007) in the Department of Computer Science and
Engineering, Indian School of Mines, Dhanbad, under the DST INSPIRE fellowship, Reg. No. IF10247, Department of Science
and Technology, Govt. of India. Also, the authors express their gratitude to the ISEA Project, No. MIT(2)/2006-08/189/CSE,
Ministry of Information Technology, Govt. of India.

References

[1] L. Lamport, Password authentication with insecure communication, Communications of the ACM 24 (11) (1981) 770–772.
[2] M. Peyravian, N. Zunic, Methods for protecting password transmission, Computers and Security 19 (5) (2000) 466–469.
[3] C.C. Lee, L.H. Li, M.S. Hwang, A remote user authentication scheme using hash functions, ACM Operating Systems Review 36 (4) (2002) 23–29.
[4] W.C. Ku, C.M. Chen, H.L. Lee, Weaknesses of Lee–Li–Hwang’s Hash-based password authentication scheme, ACM Operating Systems Review 37 (4)
(2003) 19–25.
[5] E.J. Yoon, E.K. Ruy, K.Y. Roo, A secure user authentication scheme using hash functions, ACM Operating Systems Review 38 (2) (2004) 62–68.
[6] W.C. Ku, M.H. Chaing, S.T. Chang, Weaknesses of Yoon–Ryu–Yoo’s hash-based password authentication scheme, ACM Operating Systems Review 39
(1) (2005) 85–89.
[7] J.J. Hwang, T.C. Yeh, Improvement on Peyravian–Zunic’s password authentication schemes, IEICE Transactions on Communications E85-B (4) (2002)
823–825.
[8] W.C. Ku, C.M. Chen, L. Hui, Cryptanalysis of a variant of Peyravian–Zunic’s password authentication scheme, IEICE Transactions on Communications
E86-B (5) (2002) 1682–1684.
[9] C.L. Lin, T. Hwang, A password authentication scheme with secure password updating, Computers and Security 22 (1) (2003) 68–72.
[10] M. Peyravian, C. Jeffries, Secure remote user access over insecure networks, Computer Communications 29 (5) (2006) 660–667.
[11] K.A. Shim, Security flaws of remote user access over insecure networks, Computer communications 30 (1) (2006) 117–121.
[12] Y.F. Chang, C.C. Chang, Y.L. Liu, Password authentication without the server public key, IEICE Transactions on Communications E87-B (10) (2004)
3088–3091.
[13] L. Zhu, S. Yu, X. Zhang, Improvement upon mutual password authentication scheme, International seminar on business and information management,
2008, pp. 400–403.
[14] Trusted Computing Group. TCG Specification Architecture Overview [EB/OL] 2007. Avaliable: http://www.trustedcomputinggroug.org/.
[15] Z.H. Shen, A new modified remote user authentication scheme using smartcards, Applied Mathematics 23 (3) (2008) 371–376.
[16] Y.L. Jia, A.M. Jhou, M.X. Gao, A new mutual authentication scheme based on nonce and smartcards, Computer Communications 31 (10) (2008)
2205–2209.
[17] W.S. Juang, W.K. Nien, Efficient password authenticated key agreement using bilinear pairings, Mathematical and Computer Modelling 47 (11–12)
(2008) 1238–1245.
[18] S.K. Kim, M.G. Chung, More secure remote user authentication scheme, Computer Communications 32 (6) (2009) 1018–1021.
[19] J. Xu, W.T. Zhu, D.G. Feng, An improved smart card based password authentication scheme with provable security, Computer Standards and Interfaces
31 (4) (2009) 723–728.
[20] M. Kumar, An enhanced remote user authentication scheme with smart card, International Journal of Network Security 10 (3) (2010) 175–184.
[21] C.T. Li, M.S. Hwang, An efficient biometrics-based remote user authentication scheme using smart cards, Journal of Network and Computer
Applications 33 (1) (2010) 1–5.
[22] X.M. Wang, W.F. Zhang, J.S. Zhang, M.K. Khan, Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards,
Computer Standards and Interfaces 29 (2007) 507–512.
[23] T. Xiang, K.W. Wong, X. Liao, Cryptanalysis of a password authentication scheme over insecure networks, Journal of Computer and System Sciences
74 (5) (2008) 657–661.
[24] H.C. Hsiang, W.K. Shih, Weaknesses and improvements of the Yoon–Ryu–Yoo remote user authentication scheme using smart cards, Computer
Communications 32 (4) (2009) 649–652.
[25] M. Joye, F. Olivier, Side-channel analysis, Encyclopedia of Cryptography and Security, Kluwer Academic Publishers, 2005, pp. 571–576.
 SK Hafizul Islam, G.P. Biswas / Mathematical and Computer Modelling 57 (2013) 2703–2717 2717

[26] H.R. Chung, W.C. Ku, M.J. Tsaur, Weaknesses and improvement of Wang et al.’s remote user password authentication scheme for resource-limited
environments, Computer Standards and Interfaces 31 (4) (2009) 863–868.
[27] Y. Chen, J.S. Chou, C.H. Huang, Comments on five smart card based password authentication protocols, International Journal of Computer Science and
Information Security 8 (2) (2010) 129–132.
[28] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in: Proceedings of Advances in Cryptology- Crypto’99, LNCS, 1999, pp. 388–397.
[29] T.S. Messerges, E.A. Dabbish, R.H. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Transactions on Computers
51 (5) (2002) 541–552.
[30] D. Hankerson, A. Menezes, S. Vanstone, Guide to Elliptic Curve Cryptography, Springer-Verlag, New York, USA, 2004.
[31] N. Koblitz, Elliptic curve cryptosystem, Journal of mathematics computation 48 (177) (1987) 203–209.
[32] V. Miller, Use of elliptic curves in cryptography, in: Proceedings of Advances in Cryptology – Crypto’85, LNCS, 1985, pp. 417–426.
[33] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, SIAM Journal on Computing 32 (2003) 586–615.
[34] D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, Journal of Cryptology 17 (4) (2004) 297–319.
[35] E.R. Verheul, Evidence that XTR is more secure than supersingular elliptic curve cryptosystems, Journal of Cryptology 17 (4) (2004) 277–296.
[36] H.C. Hsiang, W.K. Shiha, Improvement of the secure dynamic ID based remote user authenticationnext term scheme for multi-server environment,
Computer Standards and Interfaces 31 (6) (2009) 1118–1123.
[37] Y.H. Yan, D.S. Wang, J.P. Li, L.G. Li, Cryptanalysis of a remote user authentication scheme based on bilinear pairing, In: IEEE ICACIA (2009) 73–76.
[38] M. Hou, Q. Xu, G. Shanqing, H. Jiang, Cryptanalysis of identity-based authenticated key agreement protocols from parings, Journal of Networks 5 (7)
(2010) 826–855.
[39] C.M. Swanson, Security in key agreement: two-party certificateless schemes, Master’s thesis, University of Waterloo, Canada, 2008.
[40] R. Canetti, H. Krawczyk, Analysis of key exchange protocols and their use for building secure channels, In: Proceedings of Advances in Cryptology
–Eurocrypt’01, Springer-Verlag, LNCS, 2001, pp. 453–474.
[41] Z. Cheng, M. Nistazakis, R. Comley, L. Vasiu, On the indistinguishability-based security model of key agreement protocols-simple cases, Cryptology
ePrint Archieve, Report 2005/129, 2005.
[42] T. Mandt, C. Tan, Certificateless authenticated two-party key agreement protocols, in: Proceedings of the ASIAN 2006, Springer-Verlag, LNCS, 4435,
2008, pp. 37–44.
[43] B.T Hsieh, H.M. Sun, T. Hwang, On the security of some password authentication protocols, Informatica 14 (2) (2003) 195–204.
[44] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) (1976) 644–654.
[45] Y.F. Chung, K.H. Huang, F. Lai, T.S. Chen, ID-based digital signature scheme on the elliptic curve cryptosystem, Computer Standards and Interfaces 29
(6) (2007) 601–604.