Cryptanalysis and Security Enhancement of Three Authentication Schemes in Wireless Sensor Networks

Nowadays wireless sensor networks (WSNs) have drawn great attention from both industrial world and academic community. To facilitate real-time data access for external users from the sensor nodes directly, password-based authentication has become the prevalent authentication mechanism in the past decades. In this work, we investigate three foremost protocols in the area of password-based user authentication scheme for WSNs. Firstly, we analyze an efficient and anonymous protocol and demonstrate that though this protocol is equipped with a formal proof, it actually has several security loopholes been overlooked, such that it cannot resist against smart card loss attack and violate forward secrecy. Secondly, we scrutinize a lightweight protocol and point out that it cannot achieve the claimed security goal of forward secrecy, as well as suffering from user anonymity violation attack and offline password guessing attack.Thirdly, we find that an anonymous scheme fails to preserve two critical properties of forward secrecy and user friendliness. In addition, by adopting the “perfect forward secrecy (PFS)” principle, we provide several effective countermeasures to remedy the identified weaknesses. To test the necessity and effectiveness of our suggestions, we conduct a comparison of 10 representative schemes in terms of the underlying cryptographic primitives used for realizing forward secrecy.


Introduction
Currently, wireless sensor networks (WSNs) have become one of the most standard services employed in commercial and industrial applications and proved to be a leading area of research [1][2][3].Like many advanced technologies, the original appliance of WSNs can be found in military and heavy industrial applications.In the 1950s, the first modern WSN-the Sound Surveillance System (SOSUS)-is developed by the United States Military and used for detecting Soviet submarines [4].Nowadays, WSNs thrive in industrial and consumer applications, including machine health monitoring, environmental sensing, natural disaster prevention, and health care monitoring [5][6][7].
A wireless sensor network generally includes a central gateway node (GWN, so-called base station), a large number of circulating, self-directed and low powered devices named sensor nodes, and a set of end users.The GWN acts as a bridge between WSNs and the other networks and also a powerful data managing and processing center.Sensor nodes are multifunctional, energy efficient devices and are spatially distributed over the networks for caringly collecting, processing, and transferring data.
In many critical applications, remote users are usually keen on real-time accessing with sensor nodes [8,9], yet if data queries are carried out by the gateway node, efficiency and accuracy might not be guaranteed over the long transmission path between GWN and the sensors.Accordingly, password-based user authentication proves to be a proper solution for this issue as its security, simplicity, and portability [10][11][12].That is, users are first authenticated by remote sensor nodes before being permitted to access data.
In 2006, Wong et al. [13] proposed the first passwordbased authentication scheme for wireless sensor networks that allows legitimate users to query sensitive information at every sensor of the network.However, shortly after this protocol was presented, Tseng et al. [14] and Das et al. [15] pointed out that Wong et al. 's scheme [13] is vulnerable Contributions.In this work, we mainly review and analyze three state-of-the-art authentication protocols proposed by Li et al. [25], Amin et al. [8], and Wu et al. [9].And reveal that all these three schemes suffer from smart card loss issue and cannot achieve forward secrecy.Then we suggest several possible countermeasures to overcome these pitfalls.We also provide a comparison of 10 representative schemes for wireless sensor networks which emphatically considered

Cryptanalysis of Li et al.'s Scheme
Earlier in 2018, Li et al. [25] presented a three-factor anonymous and efficient authentication scheme for wireless sensor networks.Although their scheme has many attractive properties, such as the provision of user anonymity and local password change, it still fails to attain many of the claimed goals.In this section, we will demonstrate that though Li et al. try to settle the user friendliness issue of Jiang et al. 's scheme [11], their solution leads to offline dictionary attack.And we also observe that Li et al. 's scheme cannot preserve forward secrecy, which is the most crucial goal for WSNs.

Review of Li et al. 's Scheme.
In this subsection, we briefly revisit Li et al. 's scheme [25].For ease of description, some intuitive notations and abbreviates are listed in Table 1 and will appear throughout this paper.Their scheme includes three main phases: registration, login and authentication, and password change.We will follow their presentations as close as possible.
(3) Upon receiving the login request, GWN computes  3 =  2 =  and   =  4 ⊕  3 and verifies if   is in the database.If not, the request is aborted.Otherwise,  [25], the following assumptions about the adversary's capabilities are implicitly made in [25]: (1) Two communication channels exist: one is a secure, or a private channel which is mainly used for registration; another is a public channel which acts on login and authentication phases.As in the conventional authentication protocols, the adversary A is modeled to have full control of the public channel; i.e., A can eavesdrop, intercept, and modify and redirect any transmitted messages between the communication parties [3,6].
(2) The user-memorable identities and passwords are of low entropy and can be offline enumerated by A at the same time within polynomial time.
(3) When considering truly multifactor authentication (i.e., the scheme is secure even if one or more factors are cracked [10]), it is rational to assume that A may (i) learn a victim's password such as phishing or shoulder surfing attacks, (ii) extract the secret parameters in the lost smart card by side-channel attack, or (iii) obtain a victim's biometric information via malicious device, but cannot achieve all.Otherwise, it is a trivial case.
(4) To delineate the critical feature of forward secrecy, A is allowed to corrupt any valid entities to obtain its longterm secret key(s).In addition, previous session key(s) may be revealed by A as a possible reason of improper erasure [10,27].
It is worth noting that the above adversarial model, following the existing works in [3,6,7,10,28], is one of the few ones that apply to multifactor authentication in WSNs.For the sake of user friendliness, many protocols allow their users to select his/her identity  and password .However, the user usually chooses easy-to-remember identity (e.g., email, phone number) and password, which are of low entropy (|D  | ≤ |D  | ≤ 10 6 [29,30]) and can be offline enumerated by A within polynomial time.Besides, assumption (3) specifies truly three-factor security and assumption (4) is used to capture the crucial notion of forward secrecy when GWN or any sensor node   is corrupted.In the following sections, our analysis will take account of these four assumptions.

Smart Card Loss Attack.
In [25], Li et al. pointed out that Jiang et al. 's scheme [11] lacks timely detection mechanism, which means once a user inputs wrong identity or password unintentionally, the system will remain executing the following login and authentication phases.Undoubtedly, this interaction process will bring extra cost.In reality, it is a common accident as users usually involve in countless applications and manage various pairs of identity and password [7].To solve this problem, Li et al. 's scheme [25] inserts a verification item   = ℎ(  ‖ ℎ(  ‖   ) ‖   ) in the smart card for the purpose of providing timely detection and performing password change without any interaction with the GWN.However, their modification goes back to the "security-usability" balance problem proposed by Huang et al. [12]; that is, it realizes local password change but brings offline dictionary attack.We illustrate this attack as below.
Step 1.A chooses a pair ( *  ,  *  ) from D  × D  , where D  represents the identity space and D  represents the password space.
Step 2. A computes , where   is extracted from the victim's smart card and   can be obtained by computing   = ( ⊕   ) with the help of malicious device.
Step 3. A verifies the correctness of ( *  ,  *  ) pair by checking whether the computed  *  equals the extracted   .
Step 4. A repeats the above Steps 1 ∼ 3 until the right values are found.
Besides the previous reasonable assumption (3), it should be pointed out that, in the registration phase of Li et al. 's scheme [25],   imprints his/her biometric information   on a specific device and simply submits the plain-text   to GWN.Then, GWN employs the fuzzy commitment technology [31] and the generated  to compute .In such situation, if a privileged insider, e.g., the administrator, has learned the user's biometric information, she is able to complete the above offline guessing attack.Of course, she is able to impersonate the victim to login other applications as biometric characteristics cannot be easily changed.
For another, in order to realize user friendliness, most password-based authentication schemes (e.g., [8,9,11]) allow users to choose his/her own  and , and Li et al. 's scheme is no exception.However, users usually tend to choose easy-to-remember and thus of low entropy identities and passwords, so that it is reasonable to make the assumption (2) that A can offline enumerate all the (, ) pairs within polynomial time.

The Violation of Forward Secrecy.
WSNs are generally deployed in security-critical applications, such as battlefield surveillance and health care monitoring [7,27,32,33].The sensor nodes at risk had been driven: on one hand, due to the unattended environments and low-cost considerations, it is easier for an adversary A to focus on sensors access to breakthrough success; on the other hand, sensors often perform extremely sensitive tasks and thus, they preserve sensitive information and exhibit greater attack surface.Consequently, sensor nodes are more vulnerable to serious attacks, so that an admired authentication scheme for WSNs ought to be guaranteed against node capture attack.
Unfortunately, Li et al. 's scheme [25] cannot resist against this severe node capture attack.Let us consider the following scenarios.In case a sensor node   has been compromised by an adversary A and the stored secret key   can be extracted.This assumption is sound as made in assumption (4) and it is also implicitly described in Li et al. 's scheme [25].With the extracted   , A can successfully obtain the previous session key between   and any user   , as follows.
There are some points to be noted regarding the aforementioned attack.Firstly, the reason why we add Steps 5 and 6 is that these two steps are conducive to check the parameters though A has already known   .Then, it is not hard to see that A only needs to eavesdrop over the public channel with simple computations to complete the aforementioned attack procedure.Consequently, the desirable security goal of perfect forward secrecy (PFS) cannot be attained by Li et al. 's scheme.
Despite considerable attention has been paid to forward secrecy issue, many prior works still explicitly or implicitly use an incorrect computation for the session key(s) (e.g., [8,9,21,34]).This is mainly due to the violation of the "PFS principle" suggested in [26]: (i) public-key techniques are indispensable; (ii) at least two exponentiation operations are conducted on server side.Though Ma et al. [26] emphasize this principle on client-server architecture, after careful analysis, we find this "PFS principle" is suitable for WSN environments (i.e., three-party environment).In this cases, we will take GWN and sensors as server side, while keeping users as client.
Accordingly, elliptic curves cryptosystem (ECC) is a reasonable choice for overcoming this pitfall, whereas in their original scheme [25] Li et al. employ this mechanism to greatly attain user anonymity.To make a precisely modification, we assume   to be    and   to be   , where point  is a generator mentioned before and   ,   are two random numbers chosen by   and   separately.Note that GWN has no need to be involved in negotiating the session key.Then in this way, the session key can be recalculated as  = ℎ(  ‖   ‖    ‖    ‖     ).As it is generated by session-variant random numbers   and   and computationally infeasible to guess      from transmitted message due to discrete logarithm problem, Li et al. 's scheme [25] will be secure against node capture attack and provide forward secrecy perfectly after slight modifications.

Mistakes in the Proof.
The emergence of BAN logic opens up a new chapter in the proof of user authentication protocol [35,36]; it can not only be used to prove whether the protocol achieves some desired goals, but also be employed to find some defects in the protocol.However, there still are some problems in the application of BAN logic.On the one hand, BAN logic cannot prove whether the protocol achieves all security goals and desirable properties.For example, it cannot prove that the protocol resists against parallel session attack, denial-of-service attack, node capture attack, etc.On the other hand, the analysis of BAN logic depends on some basic assumptions and the initial hypotheses.If the initial hypotheses was not sound, the formal analysis will lead to erroneous conclusions.
In the formal proof of Li et al. 's scheme [25] with BAN logic, there are several minor problems.Firstly, Li et al. add a new logic rule, session keys rule: However, it is better to explain the calculation method of  and the key role of  in .Otherwise, we cannot derive that  believes  and  share  from the upper part of the equation.
Secondly, we suggest that the initiative premises p13 and p14, i.e., GWN| ≡   ⇒   ⊕  and   | ≡GWN⇒   ⊕ ℎ(  ‖ ), respectively, should be derived from the translation messages, but not in the premises.Finally, they may ignore some details in the formal proof, such as in the D5, it is better to add GWN| ≡ #  , which we cannot find in the assumption or derive from the front.It also can be seen that the correctness of the protocol cannot be guaranteed only by using the formal proof.

Cryptanalysis of Amin et al.'s Scheme
Recently, Amin et al. [8] proposed a lightweight protocol for IoT-enabled devices for cloud computing environments.The private information is usually stored in distributed cloud servers (e.g., sensors), so that distributed nodes are confronted with the same security threats of sensors in wireless sensor networks.After careful analysis, we find that though equipped with a formal proof and exhibiting great application prospects, Amin et al. 's scheme still cannot resist against smart card loss attack and also fail to provide user anonymity and forward secrecy.

Review of Amin et al. 's Scheme.
Here we briefly review the scheme proposed by Amin et al. [8], an enhancement over Xue et al. 's scheme [37] and Chuang et al. 's scheme [38].Cloud Server Registration Phase.In this phase, any cloud server   sends a self-chosen identity and random number pair {  , } to control server (CS).Then CS chooses a random number , computes   = ℎ(  ‖ ),   = ℎ(  ‖ ), and responds {  } to   securely.Finally,   stores {  , } in the memory.

Login and Authentication Phase.
In order to access remote server resources, a legal user   inserts his/her smart card into a card reader and inputs   ,   .Then the following steps are performed: (1) =   .If so,   successfully authenticates   and  and establish a session key   =   =   .

Cryptanalysis of Amin et al. 's Scheme.
The four assumptions made in Section 2.2 are also explicitly employed in Amin et al. 's work [8] when they analyze the security of Xue et al. 's scheme [37] and Chuang et al. 's scheme [38] and proof the safety of their scheme.Consequently, our following discussions will base on these four assumptions.

No Provision of User Anonymity.
Nowadays, privacy concerns are attracting more and more attention among governments, organizations, and individuals, and anonymous privacy-preserving authentication protocols are of particular interest.This is because the violation of user anonymity, say the leakage of some user-specific (static) information, may facilitate a malicious adversary to track the victim's current activities and login history [7,39].Generally, there are two kinds of user anonymity attributes, basic and advanced [7]: (i) user  protection, which means A cannot obtain the real  of the user; (ii) user untraceability, which means A is unable to tell who the user is and distinguish whether two communications are coming from the same user.In wireless sensor networks, the latter notion has been widely adopted (e.g., [40][41][42]), so does Amin et al. 's scheme.
In 2014, Das et al. [43] firstly introduced a "dynamic ID technique" to achieve user anonymity: a user's real  is concealed in the session-variant pseudonym identities.Subsequently, many schemes (e.g., [25,44,45]) follow this technique, which are so-called "dynamic ID" schemes, and Amin et al. 's scheme [8] falls into this category.However, after careful analysis, we find that Amin et al. 's scheme cannot achieve user anonymity in practice.To be specific, in the login phase of their scheme, Amin et al. try to compute a pseudonym identity   = ℎ(  ‖  2 ) as a dynamic identity.On one hand,   is specific to the legitimate user   ; on the other hand,   is kept static and transmitted in plain of all the   's login messages {  ,   ,   ,   ,   }.
Accordingly, this specific value   can be seen as   's "identification", and thus A can exploit it to identify and track   in the whole system.To conduct the aforementioned attack, an adversary A only needs to eavesdrop the transmission channel without other contact operations and computations.This well serves to show the violation of user anonymity on Amin et al. 's scheme [8], thereby contradicting their claim.

Smart Card Loss
Attack.Amin et al. [8] showed that, in Xue et al. 's protocol [37], users' passwords can be offline guessed once A has somehow obtained (lost or stolen) the victim's smart card and extracted the stored secret information.Then Amin et al. attempt to overcome this pitfall in their new proposed scheme.However, precisely the same deficiency still exits in Amin et al. 's enhanced version.Let us consider the following scenario, suppose that A has obtained the secret parameters {  ,   , ,   , ℎ(⋅)} stored in   's smart card (e.g., by side-channel attack [46][47][48] and reverse engineering technique [49]), which is reasonable under assumption (3).Then A can conduct the following procedure to guess   's password.
Step 1. Choose a pair of ( *  ,  *  ) from the identity space D  and password space D  . Step , and  *  = ℎ(  ‖   ).
Step 3. Verify whether the computed  *  equals the extracted   .Further, according to assumption (1), A is capable of eavesdropping and intercepting the normal (previous successful) login message {  ,   ,   ,   ,   } between   and   over the public channel.It is fair to assume that A has already obtained the correct value of   , then Step 2 might be changed to compute  1 ,   ,  2 , and  *  and compared the computed  *  with the intercepted   in Step 3. In this way, the time complexity of the above procedure reduces to O(3  ×|D  |×|D  |), where the exclusive and concatenation operations are too small to overlook.
Note that both of the above two attacks are carried out offline without any interaction with the control server.Hence, there is no way for CS to find abnormality and the adversary A can impersonate   at anytime until CS revokes the victim's smart card.All in all, our analysis demonstrates the feasibility of smart card loss attack on Amin et al. 's scheme [8].

The Violation of Forward Secrecy.
As mentioned in Section 2.2.2, Amin et al. 's scheme [8] also subjects to node capture attack.In such cases, the captured nodes may enable an adversary to compromise communications between other noncaptured nodes or obtain previous session keys.We will show this pitfall in this subsection.Assume that a malicious adversary A has compromised a cloud server   and extracted the secret parameters {  , } stored in its memory, A can recover the previous session key as follows.
Step 2. Compute   =   ⊕   , where B  is extracted from the compromised node   .
In light of   and   ⊕   which are all correct values, A manages to find the previous session key.Hence, the desirable property of forward secrecy can not be attained by Amin et al. 's scheme [8].Similar to Li et al. 's scheme [25], this also due to the violation of "PFS principle".Except the ECC technique mentioned before, we suggest this issue to be well addressed by introducing another high-efficiency technique, i.e., Chebyshev polynomials semigroup property (so-called chaotic maps).
For this property, given ,   (), and  V (), it is intractable to find    V (), where  is a variable and , V denote the integer degree [45].Assume the control server chooses and writes a variable value  in each user's smart card in the registration phase.Then we slightly modify the random numbers   to be    () and   to be    (), and thus the session key can be calculated as  = ℎ(   () ‖    () ‖       ()).For higher security, it is better to involve other secret parameters such as   ,   .In this way, the improvement of Amin et al. 's scheme [8] can achieve perfect forward secrecy based on computational Diffie-Hellman problem.

Mistakes in the Proof.
Similarly, the security proof in Amin et al. 's scheme [8] does not capture realistic security threat.There are three main reasons: (1) The error of initial hypothesis.In the formal proof of Amin et al. 's scheme [8], they make an assumption A11:   | ≡    ←  →   , which is the same as Goal 3.This demonstrates that the proof of Goal 3 is not necessary.(2) The wrong usage of logic rules.We take Step S2 as an example.This step is based on the message meaning rule and derives that   believes   said   from A11 and S1.However, according to the message meaning rule, we cannot obtain this conclusion from A11.
Hence, A11 should be changed to Using undefined new rules.Amin et al. [8] also employ a new session keys rule, but they did not give a definition of the new rule.

Cryptanalysis of Wu et al.'s Scheme
In this section, we will review and analyze Wu et al. 's scheme [9], which is a lightweight and relatively robust two-factor authentication scheme for wireless medical sensor networks.In [9], Wu et al. have found some security pitfalls in historical schemes and attempted to overcome all these flaws in the new proposed one.Besides, Wu et al. [9] use NS-3, a simulation tool to prove the security of their proposed protocol.Note that, the simulation process can only prove the validity of their protocol, including the viable communication between the sensor node and the user, the probable communication time, system size, etc.However, it can not prove whether their protocol resists against various known attacks.In the following section, we find Wu et al. 's improved scheme still fails to attain the most important goal of forward secrecy and is prone to user friendliness issue.

Review of Wu et al. 's Scheme
. This subsection briefly reviews Wu et al. 's [9] scheme, which involves four critical phases: registration, login, authentication and password change, and a previous initialization.We simplify initialization phase in the registration phase.

Registration Phase.
Initially, GWN is equipped with an identity  and its own secret key .The registration phase is further divided into sensor node registration and user registration.
Sensor Node Registration Phase.Each sensor node   chooses an identity   and sends to GWN via a secure channel.Then GWN decides to deploy it in a sensor set numbered   and computes the secret key  = ℎ(  ‖  ‖   ).Finally, {  , , } is injected to the memory of   and (  ,   ) is stored in the database of GWN.
(4) GWN →   : {  ,   [9] has some user friendliness issue and fails to achieve the critical property of forward security.

No Provision of User Friendliness.
According to the collected data from Dashlane [56], "we are online hoarders" that the average user maintains over 107 accounts registered to one email address and this figure will rise to 207 by 2020.This statistical shows that users are creating and virtually stashing more online account information than ever, which leads to an insanely high number of accounts to manage.In that case, freely password change is a recommended practice, for users have to reset a forgotten password (an average of 37 accounts [56]) and the fixed password is definitely vulnerable.Moreover, users may make a slip in writing passwords or identities; the rapid response and decisive action are quite necessary for a user friendly authentication protocol.Early in 1968, Robert Miller [57] published a classic paper about response time in man-computer conversational transactions, which pointed out that "response times exceed 10 seconds will completely lose the user's attention".In this way, locally secure password change, i.e., providing an explicit and secure process to verify the correctness of user-keyed password in smart card, is essential.That is, the smart card has no need to interact with remote server in user input and password changing phases.However, as stated above, both Li et al. 's scheme [25] and Amin et al. 's scheme [8] provide local password change, but their strategies introduce new vulnerabilities-offline dictionary attack.
Back to Wu et al. 's scheme [9], there is no verifier in the smart card, which means their scheme even cannot provide timely detection mechanism and reasonable password change.Fortunately, Wang et al. [10] introduced a "fuzzy verifier" technique to effectively solve this security-usability issue.In the following, we will take Wu et al. 's scheme [9] as an example to show this strategy.Firstly,   submits {  ,   } to GWN in the registration phase.Then GWN computes   = ℎ((ℎ(  ) ⊕   ))mod ) and stores it in   's smart card, where  denotes the size of (, ) pool and 2 6 ≤  ≤ 2 8 .Assume |D  | ≈ |D  | ≈ 10 6 and  = 2 8 [29, 30], we can be assured that there have the possibilities of (|D  | × |D  |)/ ≈ 2 32 identity and password pairs to thwart the adversary from guessing out the correct password.
The same considerations can also be applied to Li et al. 's scheme [25] and Amin et al. 's scheme [8].The large-scale candidates will effectively frustrate A from random guessing the password by a brute force method as well as providing a timely detection of the mistyped identity or password.

The Violation of Forward Secrecy.
Forward secrecy is an important property, for the unattended environment and security-critical applications in wireless sensor networks [7,11].In [9], Wu et al. explicitly stated that "the sensor nodes may be captured by the intruder", which accords with assumption (4) made in Section 2.2.Under this statement, we find that Wu et al. 's scheme cannot achieve the forward secrecy.Once a sensor node   has been compromised, the stored information  might be obtained by A and the following attacks can be launched.
The above attack demonstrates that once a sensor node   has been captured, the previous sessions might be decoded.This is the same failure with Li et al. 's scheme [25] and Amin et al. 's scheme [8].Besides the above two techniques (ECC cryptosystem and chaotic maps), we also suggest employing some other public-key cryptography techniques, such as Pairing [58] and RSA cryptosystem.Note that when using RSA cryptosystem to achieve forward secrecy, a new temporary RSA key must be generated by user side for each session [59].
To demonstrate the necessity and effectiveness of our suggestions, we provide a comparison of 10 recently proposed schemes by assessing whether they achieve forward secrecy and what main technology do they use.The result are shown in Table 2.One can see that only Das et al. 's scheme [52] successfully provides forward secrecy.This failure is mainly due to the fact that half of them (i.e., [8,9,51,54]) only use Hash operation that are virtually impossible to provide forward secrecy ("PFS principle" [26]), yet the other 4 schemes (i.e., [25,45,50,55]) that make use of public-key techniques (e.g., ECC, Chaotic maps, RSA) violate the principle that the random numbers must be generated by   and   separately and cannot be transmitted over the public channel.

Conclusion
In this paper, we first analyze three state-of-the-art authentication schemes presented by Li et al., Amin et al., and Wu et al., which are mainly applied to realize real-time data access for security-critical wireless sensor networks.We demonstrate that although their schemes are equipped with formal proof, they still suffer from smart card loss attack and fail to achieve some important properties of forward secrecy, user anonymity, and user friendliness.Our cryptanalysis results discourage the practical application of these three schemes and reveal some challenges in designing a robust scheme for WSNs.We then suggest several possible countermeasures on account of their weaknesses and provide a comparison of 10 representative schemes in terms of forward secrecy and key technology to demonstrate the necessity of our suggestions.For the future work, a natural direction is to employ our recommended technologies and countermeasures to design robust and efficient schemes for WSNs.
The running time of the above attack procedure is O(2  × |D  | × |D  |), where |D  | denotes the number of identities, |D  | denotes the number of passwords, and   is the running time for Hash operation.Since |D  | and |D  | are very limited in practice (e.g., |D  | ≤ |D  | ≤ 10 6 [29, 30]), our above attack is meaningful and poses a real challenge to user authentication protocols for wireless sensor networks.

3. 1 . 1 .
Registration Phase.The registration phase of Amin et al. 's scheme can be divided into cloud server registration and user registration.

Step 4 .
Repeat Steps 1, 2, and 3 until finding the correct values.Let |D  | and |D  | denote the size of D  and D  , and the time complexity of the aforementioned attack is O(4  × |D  | × |D  |), which is linearly associated with the running time of Hash operation and can be finished in a few days as the limited size of |D  | ≤ |D  | ≤ 10 6 [29, 30].
Organization.The remainder of this paper is organized as follows.Section 2 reviews and demonstrates the pitfalls of Li et al. 's scheme.Section 3 cryptanalyzes Amin et al. 's protocol with proper countermeasures over discovered flaws.Section 4 describes the weaknesses of Wu et al. 's protocol and compares 10 representative schemes.The conclusion is made in Section 5.
[9].Cryptanalysis ofWu et al. 's Scheme.Due to its simplicity and admirable provision of user anonymity, Wu et al. 's scheme[9]exhibits great application prospects, and yet there are still some security pitfalls being overlooked by Wu et al.In the following, we will demonstrate that Wu et al. 's scheme

Table 2 :
Performance and security comparison.1.: one-time hash operation time;   : elliptic curve point multiplication computation time;   : running time of chaotic maps;   : time for modular multiplication/division. 2. × means the corresponding scheme fails to achieve this property; CM denotes chaotic maps; PFS denotes perfect forward secrecy.