Applying LU Decomposition of Matrices to Design Anonymity Bilateral Remote User Authentication Scheme

We apply LU decomposition of matrices to present an anonymous bilateral authentication scheme. This paper aims at improving security and providing more excellent performances for remote user authentication scheme. The proposed scheme can provide bilateral authentication and session key agreement, can quickly check the validity of the input password, and can really protect the user anonymity. The security of the proposed scheme is based on the discrete logarithm problem (DLP), Diffie-Hellman problem (DHP), and the one-way hash function. It can resist various attacks such as insider attack, impersonation attack, server spoofing attack, and stolen smart card attack. Moreover, the presented scheme is computationally efficient for real-life implementation.


Introduction
The remote user authentication scheme allows the user and the remote server to mutually authenticate each other over public network environments, and then the authorized user can access the services and resources which are provided by the remote server.Generally, the password-based authentication scheme provides an efficient and secure way for mutual authentication and allows the user and the server to establish a shared session key for future secret communication after the mutual authentication process.In 1981, Lamport [1] first proposed a password-based remote user authentication scheme for the insecure communication.Since then, the researchers have proposed many password-based remote user authentication schemes [2][3][4][5][6][7] to ensure the secure communication through the public network, and also many studies [8][9][10][11][12][13][14][15][16][17][18] have been presented to enhance the security or improve the computation and communication costs of the remote user authentication scheme.
In the public network environments, it is important to ensure user anonymity such that the user's real identity can only be revealed by authorized entities.In 2000, Lee and Chang [19] proposed a user identification scheme with key distribution preserving user anonymity for the distributed computer network.However, Wu and Hsu [20] pointed out that Lee and Chang's scheme cannot protect user anonymity as they claimed, and they proposed an enhanced scheme.Later, Yang et al. [21] showed that Wu and Hsu's scheme cannot resist impersonation attack and proposed an improved scheme which is more secure and efficient.Unfortunately, Mangipudi and Katti [22] presented that Yang et al. 's protocol is vulnerable to a Denial-of-Service (DoS) attack and proposed a secure identification and key agreement protocol with user anonymity.Recently, Wang et al. [23] presented a secure and efficient identification and key agreement protocol with user anonymity based on the difficulty of computing the elliptic curve Diffie-Hellman.Their scheme's computation cost is lower and is suitable for applications in low power computing environments.
In 2004, Choi and Youn [24] proposed a novel data encryption and distribution approach using LU decomposition of matrices.Then, Pathan et al. [25,26] proposed two efficient bilateral remote user authentication schemes based on LU decomposition of matrices.Nevertheless, these schemes have several weaknesses, such as they cannot resist replay attacks, they cannot preserve the user anonymity, the server and Mathematical Problems in Engineering users cannot agree on a session key, and so forth.To address these issues, Tseng et al. [27] proposed a user authentication scheme based on LU decomposition of matrices.They claimed that their scheme can resist replay attack, forgery attack, and insider attack and provide user anonymity.Whereas, after careful analysis, we find that Tseng et al. 's scheme is still vulnerable to insider attack, stolen smart card attack and inefficient for wrong password login and does not provide user anonymity.To overcome these existed weaknesses of Tseng et al. 's scheme, we propose a novel bilateral authentication scheme with user anonymity using LU decomposition of matrices.Analysis shows that our scheme not only can provide better security properties but also is more efficient than the other authentication schemes.
The rest of this paper is organized as follows: Section 2 introduces the necessary preliminaries of this paper.The brief review of Tseng et al. 's scheme is provided in Section 3. Section 4 describes a cryptanalysis of Tseng et al. 's scheme.The proposed scheme and the corresponding analysis are presented in Sections 5 and 6, respectively.Finally, we conclude this paper in Section 7.

Preliminaries
In this section, we introduce some basic information about the LU decomposition of matrices and Discrete logarithm problem, and they are the mathematical basis of our proposed bilateral remote user authentication protocol with user anonymity.

LU Decomposition of Matrices.
From the matrix theory, LU decomposition factorizes a matrix as the product of a lower triangular matrix and an upper triangular matrix.Let  be a square matrix; an LU decomposition of matrix  is the form  = , where  is a lower triangular matrix and  is an upper triangular matrix.This means that  has only zeros above the diagonal and  has only zeros below the diagonal.) . ( If  is a singular matrix of rank , it admits an LU decomposition if all the -leading principal minors are nonzero.
In the identity authentication system, we assume that  is the number of users the system can support.We can introduce the LU decomposition into the user authentication system to ensure the security of the system.In the system initialization phase, the remote server generates a symmetric matrix  × as his/her master secret key.With the LU decomposition, the server can separate the symmetric key matrix  × to the product of a lower triangular matrix  × and an upper triangular matrix  × , that is,  × =  ×  × , and stores these matrices in other servers.
Since  is a symmetric matrix, we have that   =   , for 1 ≤  ≤  and 1 ≤  ≤ , and the product of the th row of matrix  × and the th column of matrix  × is equal to the product of the th row of matrix  × and the th column of matrix  × .For example, suppose  is a 4 × 4 symmetric matrix with LU decomposition as follows: ) . ( We can perform elementary row operations to get the lower matrix  and upper matrix  as follows: ) , ) . ( Given  = 3 and  = 4, we can compute  34 and  43 as follows: where   (3) denotes the 3rd row of the matrix  and   (4) denotes the 4th column of the matrix , and we have that  34 =  43 .

Discrete Logarithm Problem.
The detailed information about discrete logarithm problem can be found in the literature [28], and we briefly introduce the discrete logarithm problem as follow.In a multiplicative group ⟨⟩ of order , where  = 2 + 1 is the modulus for the group, both  and  are public large prime numbers.This implies (1) ⟨⟩ = { |  =   mod , for  = 1, 2, 3} is a finite set of size , where 2 ≤  ≤  − 1 and   mod  = 1.
(2) Given  and , computing the modular exponentiation  =   mod  is relatively easy.However, given  and , it is computationally infeasible to find  such that  =   mod ; namely, in ⟨⟩, the discrete logarithm problem is intractable [28].

Review of Tseng et al.'s Scheme
In this section, we briefly review Tseng et al. 's scheme, and more details can be found in [27].Tseng et al. 's scheme contains four phases, that is, the registration phase, the login phase, the authentication phase, and the password change phase.The notations used throughout this paper are listed in Table 1.(2) The server checks the validity of ID  .If ID  is invalid, the server rejects the login request.
(3) The server verifies whether the time interval (  − ) ≤ Δ, where   is the current timestamp when the server received the message.If (  − ) ≥ Δ, the login request is considered out of date and is rejected.
( )) to the server.Upon receiving the password-changing message, the server takes the following steps: in the smart card.

Cryptanalysis of Tseng et al.'s Scheme
Tseng et al. claimed that their scheme can protect user anonymity and can resist various known attacks.However, after careful analysis, we find that their scheme cannot really protect the user anonymity and is vulnerable to insider attack, server spoofing attack.Besides, their scheme is inefficient for wrong password login.We analyze the security weaknesses of Tseng et al. 's scheme as below.

Attacks against the User Anonymity.
In order to prevent the attacker from tracking the user's movements, it is important to ensure user anonymity such that the user's real identity can only be recognized by the server.Kocher et al. [29] and Messerges et al. [30] have pointed out that the confidential information stored on the smart card can be extracted by physically monitoring its power consumption.So, in Tseng et al. 's scheme, a legal but malicious user   can extract information (     ,   ,   (  ), V  , ℎ(⋅), , ) from his/her own smart card, and with his/her own identity ID  and password PW  , he/she can compute the value of ℎ(  ) =   ⊕ ℎ(ID  ⊕      ) ⊕ ℎ(PW  ).When the valid login request message   = (  ,    (ID  ,   ,   (  ), V  , ),   ,   , ) of a legal user   was to be intercepted by this malicious user   from the public communication channel, the malicious user   can compute   =   ⊕ ℎ(  ), and then he/she can decrypts    (ID  ,   ,   (  ), V  , ) using   to obtain (ID  ,   ,   (  ), V  , ) of the user   .Obviously, the malicious user   can obtain the real identity ID  of the user   .From the above discussion, we can see that Tseng et al. 's scheme cannot really protect user anonymity.

Insider Attack.
In the registration phase of Tseng et al. 's scheme, the user   sends ID  , ℎ(PW  ) to the server for registration, and these information can be acquired by the privileged insider.However, in password change phase, the server simply not checks the validity of user   's ID  and PW  .So, this privileged insider of the remote system can masquerade as the user   to send the triple (ID  , ℎ(PW  ), ℎ(PW   )) to the server to perform the password-changing phase.Upon receiving the password-changing message, the server takes the following steps: Therefore, since the server does not check the validity of the user's identity and password when the user wants to change his/her password, Tseng et al. 's scheme is vulnerable to insider attack, and the privileged insider can easily change the legal user's password.

Stolen Smart Card Attack.
Stolen smart card attack is that if the user's smart card is lost or stolen, the attacker can extract the information stored in the smart card and can easily change the password of the smart card, can guess the password of the user by using password guessing attacks, or can impersonate the user to login to the system.
(2) The attacker chooses a password PW   from a uniformly scattered dictionary.
After getting the correct ID  , and PW  , the malicious user   can easily change the password of user   and can impersonate   to login to the system.

Inefficient for Wrong Password
Login.Generally speaking, in practical applications, the user   may keep different passwords for different applications to ensure security.Users are easy to confuse the password such that the user cannot match the application with the correct password; in other words, it is possible that the user enters a wrong password in the login phase.
In the login phase, the smart card does not verify the correctness of the entered password by the user.If the user   inputs a wrong password PW   ( ̸ = PW  ) by mistake, the smart card and the server will perform the following steps: (1) generates a random number , gets the current timestamp , and computes   =      ⊕ ℎ( ⊕ ) and   =   ⊕ ℎ(PW   ) ⊕ ; (2) generates a random number  and computes   =   mod  and   = ℎ(  ⊕   ); (3) encrypts (ID  ,   ,   (  ), V  , ) with   and computes ) sends the login request message   = (  ,    (ID  ,   ,   (  ), V  , ),   ,   , ) to the server; (5) when the server receives the login request message   , the server computes (6) when the server decrypts    (ID  ,   ,   (  ), V  , ) using    , the server will find that the user   's identity is invalid.Thus, the server rejects the user   's login request.
In this case, the user   is unaware of the fact that he/she has entered his/her password incorrectly in the login phase, which results in unnecessary extra communication and computation costs.

The Proposed Scheme
In this section, we apply the LU decomposition of matrices to design a novel bilateral remote user authentication scheme with user anonymity, where LU decomposition of matrices ensures secretly information exchange between the user and the server, and enhances the security of the authentication scheme.To initiate the scheme, the server chooses a  ×  symmetric matrix  with LU decomposition as  =  and secretly stores these matrices as his/her secret key in other servers, where  is the number of users the system can support.The server chooses a secret key   with 256 bits, which makes the   have a high entropy and can resist brutal force attack.The proposed scheme also contains four phases, that is, the registration phase, the login phase, the authentication and key agreement phase, and the password change phase.The proposed scheme contains the timestamps, so the authentication system needs to deploy a mechanism such as NTP (Network Time Protocol) to ensure clock synchronization between the user and the remote server.The detailed information about these phases are described as follows and also shown in Figure 1.

Registration Phase.
When a user   wants to become a legal user of the system,   generates his own identity ID  and easy-to-remember password PW  and selects and remembers a random number   (the bit length of   is assumed to be 128).Then,   computes RPW  = ℎ(  ‖PW  ) and submits ID  and RPW  to the server over a secure communication channel for registration.ℎ(⋅) used throughout the proposed scheme is a collision-free one-way hash function such as SHA-1 [31], which maps any message with the length less than 2 64 bit to a 160-bit message digest.Upon receiving the registration request message, the server  and the user   take the following steps.
( (1) The server  verifies the validity of the time interval between   and .If (  − ) ≥ Δ,  rejects the login request.Here   is the timestamp, when the login request message was received, and Δ is the expected valid time interval for transmission delay.
(3) The server  computes   = ℎ(     ⊕   ) ⊕   ,    =   ⊕ ℎ(  ⊕ ), and ID  = CID  ⊕   and checks whether ID  is the registered identity of a valid user.If so, the server  performs the following steps.Otherwise, the session is terminated.(4) The server  computes    = ℎ(ℎ(ID  ‖     )‖   ‖  ‖) and checks    ?=   .If they are equal, the validity of the user   is authenticated by the server .Otherwise, the session is terminated by the server .
(5) For achieving mutual authentication, the server chooses a random number   ∈ (1, ), gets the current timestamp   , and computes   =    mod ,   =   ⊕    , and The server  submits the reply message {  ,   ,   } to the user   for mutual authentication. , respectively, to update his/her password.

Analysis of the Proposed Scheme
In this section, we first discuss the security features of the proposed anonymity bilateral authentication scheme.
Then we evaluate the performance and functionality of our proposed scheme and make comparisons with Tseng et al. ' scheme. , and the proposed scheme provides known-key security.

Security of Session
6.1.2.Forward Secrecy.Forward secrecy means that if the long-term secret keys (e.g., the server's secret key   and user's password PW  ) are compromised, the secrecy of previously established session keys should not be affected.In our scheme, we assume that the master secret key   and the password PW  of user   are compromised for some reasons, and the attacker gets the previous communication message {  , CID  ,   ,   ,   (  ),   , } and {  ,   ,   } from the public channel; then the attacker can get   =   ⊕ ℎ(  ) ⊕ .However, since the secret matrix  has been maintained only by the server , the attacker cannot compute      ,  and has no way to know   ,   ,   , and   .Therefore, the attacker has no way to get the previous session key AK  =      mod , and our scheme can ensure perfect forward secrecy.

Protect User Anonymity.
In the login phase and authentication phase of the proposed scheme, the real identity ID  of user   is not transmit via plain text form.If the login request message {  , CID  ,   ,   ,   (  ),   , } and the mutual authentication message {  ,   ,   } are eavesdropped by an attacker from the public channel, the attacker has to get the random number  to compute the real identity ID  .However, the attacker has no way to know      and   , so he/she has no valid method to get the random number  and cannot reveal the real identity ID  of the user   .Therefore, our scheme can really protect user anonymity.

Resist Impersonation Attack.
In this type of attack, in order to impersonate as a legitimate user, the attacker or a malicious user has to forge a valid login request message {  , CID  ,   ,   ,   (  ),   , } using the previously eavesdropped messages or the information obtained from the lost smart card.However, in the proposed scheme, the attacker and any malicious user   cannot forge a valid login request message, since he/she has no knowledge of ID  , RPW  ,   , and      , so he/she cannot impersonate as the legitimate user   .
In addition, even if the adversary or a malicious user has obtained the smart card of user   and extracts the parameters {  ,   ,      ,   ,   ,   (  ), , ,   } which are stored in the smart card by some way, he/she still cannot forge a valid login request message, since he/she have no way to get the valid ID  , PW  , where they are all protected by the one-way hash function.
Therefore, the proposed protocol is secure against impersonation attack.At the same time, the attacker cannot get the valid ID  , PW  , so the proposed protocol can resist the denial of service attack.

Resist Insider Attack.
In the registration phase of the proposed scheme, the user   freely selects his/her password PW  and submits the masked password RPW  = ℎ(  ⊕ PW  ) instead of ℎ(PW  ) to the server for registration.In the proposed scheme, the password must first be verified by the smart card in login and password change phase, only the adversary gets the valid password PW  of the user   , and he/she can impersonate the user   to access service.However, if the insider of the remote system gets the information ID  and RPW  = ℎ(  ⊕ PW  ), he/she cannot obtain the password PW  since it is protected by the one-way hash function and cannot impersonate the user   to login to the system or change the user's password.Therefore, the proposed scheme can resist insider attack properly.

Resist Stolen Smart Card Attack.
Assume that the user   's smart card has been lost or stolen, the attacker can extract the stored information {  ,   ,      ,   ,   ,   (  ), , ,   } from the smart card using differential power analysis [29] and simple power analysis [30].Even after gathering these information, in order to change the user's password or login into the system by using the lost smart card, the attacker has to get real identity ID  and the password PW  correctly at the same time.However, because the attacker has not the knowledge of the master secret key   and meanwhile the ID  and the PW  are protected by one-way hash function, it is not possible for an attacker to guess the ID  and the PW  correctly ) ̸ = ℎ(  ) =   .So, the wrong password can quickly be checked by the smart card, and the server does not need to waste unnecessary communication and computation cost to verify the validity of the password.Thus, the proposed scheme is efficient for wrong password verification.

Performance and Functionality Analysis.
In this section, we evaluate the performance and functionality of our proposed scheme and make comparisons with Tseng et al. 's scheme.In order to facilitate the computational complexity analysis of the scheme, we define the following notations.Because exclusion-OR operation requires very few computations, we neglect considering its computational cost in this paper.We list the result of performance comparison in Table 2, and we can see that the total computational cost of our scheme and Tesng et al. 's scheme are 2  + 18  + 4 EXP and 2  + 9  + 4 EXP + 2 ENC + 2 DEC , respectively.Since the symmetric cryptosystem needs more computational costs than the one-way hash functions, our scheme is more efficient than Tseng et al. 's scheme.
Table 3 shows the functional comparison of our proposed scheme and Tseng et al. 's scheme.Compared with Tseng et al. 's scheme, our scheme can resist various attacks and can really protect user anonymity.Besides, our scheme can quickly check the validity of the password in the very beginning of login phase.Therefore, our scheme is more secure and efficient than Tseng et al. 's scheme.

Conclusions
In this paper, we have applied the LU decomposition of matrices to present a novel anonymity bilateral authentication scheme.First, we pointed out the security weaknesses of Tseng et al. 's scheme, that is, their scheme is vulnerable to insider attack and stolen smart card attack, is inefficient for wrong password login, and does not really provide user anonymity.To surmount these identified weaknesses, we have proposed a novel scheme using the LU decomposition of matrices to reduce computational complexity and improve security, where LU decomposition of matrices ensures secretly information exchange between the user and the server, and enhances the security of the authentication scheme.Hence, our proposed protocol is more efficient and practical.

( 7 )( 8 )( 9 )( 1 )
After receiving the mutual authentication message (  ,   ,   ), the smart card verifies the validity of the time interval between   and   .If (  −  ) ≥ Δ, the user   terminates the session.Here   is the timestamp, when the mutual authentication message was received.The smart card computes    =   ⊕   ,    = ℎ(ℎ(ID  ‖     )‖  ‖   ‖‖  ) and checks    ?=   .If they are equal, the server  is authenticated by the user   , and the server  and user achieve mutual authentication.Otherwise, the smart card terminates this session.At last, the user   and the server  can compute AK  =     mod  =      mod  and AK  =     mod  =     mod , respectively, as their shared session key for future secret communication.5.4.Password Change Phase.When the user   wants to renew his/her password to PW new  , the user   can update his/her password by performing the following steps without communicating with the server .The user   inserts his smart card into a card reader and inputs his identity ID  and old password PW  and requests to change his/her password.(2) The smart card computes RPW  = ℎ(  ‖PW  ),   =   ⊕ℎ(ID  ⊕RPW  ),    = ℎ(   ) and compares    ?=   .If they are not equal, the password change request is rejected.Otherwise the user   inputs a new password PW new  .(3) The smart card computes RPW *  = ℎ(  ‖PW new  ),  *  =   ⊕ ℎ(ID  ⊕ RPW *  ), and  *  =  *  ⊕ ℎ(ID  ‖RPW  ) ⊕ ℎ(ID  ‖RPW *  ).(4) Finally, the smart card replaces   and   with  *  and  * ℎ : the time for executing a one-way hash function ℎ(⋅),   : the time for performing a vector multiplication operation,  EXP : the time for performing an exponentiation operation,  ENC : the time for performing a symmetric encryption operation, and  DEC : the time for performing a symmetric decryption operation.
2) The server  chooses two random numbers   ,   ∈ [1, ] and computes      =   (  ) ×   (  ),   = ℎ(     ⊕  )⊕ℎ(ID  ‖RPW  ),   = ℎ(  )⊕  , where the meaning of symbols   (  ) and   (  ) are the same as in Section 3.1.(3)Theserverstores{  ,   ,      ,   ,   ,   (  ), , } into a smart card and issues the smart card to   via a secure channel, where  is a big prime and  = 2+1,  is also a big prime, and  is a primitive element with   = 1 mod .(4)Atlast, in order to facilitate the subsequent verification, the user   enters the remembered random number   into the smart card, and the smart card contains {  ,   ,      ,   ,   ,   (  ), , ,   }.5.2.Login Phase.When the user   wants to login to the system,   inserts his/her smart card into the card reader and inputs his/her identity ID  , password PW  .Then the smart card performs the following operations: If they are equal, it means the user inputs the right identity and password.Otherwise, the input identity or password is not valid, and the smart card terminates the session; Upon receiving the login request message {  , CID  ,   ,   ,   (  ),   , }, the server performs the following steps for mutual authentication and key agreement.

Table 3 :
Functionality comparison between our scheme and Tseng et al. 's scheme.In the proposed scheme, in order to masquerade as the remote server to cheat the user   , the attacker has to get the secret information  and   to compute the valid reply mutual authentication message.However, the secret matrix  is only maintained by the server  such that the attacker has no way to recover the information      .On the other hand, even if the malicious user   has got his own smart card information {  ,   ,      ,   ,   ,   (  ), , ,   } and other users' communication messages {  , CID  ,   ,   ,   (  ),   , } and {  ,   ,   }, he/she still has no way to get   since it is protected by the one-way hash function.So the attacker cannot get the required information  and   , and the proposed scheme can resist the server spoofing attack.6.7.Efficient for Wrong Password Verification.In the login and password change phase of the proposed scheme, the validity of the password PW  can quickly be verified by the smart card, when the user   inputs his/her password.Ifthe user   inputs a wrong password PW   ( ̸ = PW  ), the smart card computes RPW   = ℎ(  ‖PW   )( ̸ = ℎ(  ‖PW  ) = RPW  ,    =   ⊕ℎ(ID  ‖RPW   ) =   ⊕ℎ(ID  ⊕RPW  )⊕ℎ(ID  ‖RPW   )( ̸ =   ) and gets    = ℎ( 6.6.Resist Server Spoofing Attack.