Provable Secure and Efficient Digital Rights Management Authentication Scheme Using Smart Card Based on Elliptic Curve Cryptography

. Since the concept of ubiquitous computing is firstly proposed by Mark Weiser, its connotation has been extending and expanding by many scholars. In pervasive computing application environment, many kinds of small devices containing smart cart are used to communicate with others. In 2013, Yang et al. proposed an enhanced authentication scheme using smart card for digital rights management. They demonstrated that their scheme is secure enough. However, Mishra et al. pointed out that Yang et al.’s scheme suffersfromthepasswordguessingattackandthedenialofserviceattack.Moreover,theyalsodemonstratedthatYangetal.’sscheme isnotefficientenoughwhentheuserinputsanincorrectpassword.Inthispaper,weanalyzeYangetal.’sschemeagain,andfind thattheirschemeisvulnerabletothesessionkeyattack.And,therearesomemistakesintheirscheme.Tosurmounttheweakness ofYangetal.’sscheme,weproposeamoreefficientandprovablesecuredigitalrightsmanagementauthenticationschemeusing smartcardbasedonellipticcurvecryptography.


Introduction
In 1991, ubiquitous computing was firstly proposed by Mark Weiser, who thought that ubiquitous computing technology could provide users service with a variety of equipment in environment which would be disappeared from the user's consciousness [1].Later, IBM Corporation scientists also raised the idea in 1999, and they forecasted that pervasive computing can be a way to compute everywhere, anytime, and anywhere [2,3].Since the computer and internet technology development, multimedia contents (image, document, music, movie, video, etc.) have been greatly enriched all the time, and all of them can be easily redistributed, copied, and downloaded on the internet without authorization.This drawback results in rampant piracy and causes huge revenue to lose to the electronic commerce [4].As a result, in pervasive computing application environment, the protection of digital publication copyright becomes more and more important.Digital rights management (DRM) technology is developed to overcome the problem [5].Normally, DRM is only software which usually restricts the usage of the content to protect copy and distributed contents [6][7][8][9].The DRM system manages the procedure of the digital contents including protection, distribution, and authorization.Using DRM technology, intellectual property is respected and protected by data encryption, so it can only be accessed by authorised users without limitless distribution [10,11].
In 2009, the first three-role based DRM implementation scenario authentication scheme using smart card was proposed by Zhang et al. [12].Then, Yang et al. showed that Zhang et al. 's scheme was vulnerable to the insider attack and the stolen smart card attack [10].Due to surmounting the weaknesses of Zhang et al. 's scheme, Yang et al. proposed an enhanced digital rights management authentication scheme based on smart card.They demonstrated that their scheme could preclude all the weaknesses existing in Zhang et al. 's scheme.Recently, Mishra and Mukhopadhyay cryptanalyzed Yang et al. 's scheme and found that their scheme cannot resist the password guessing attack and the denial of service attack.Moreover, they also pointed out that Yang et al. 's scheme is not efficient enough when the user inputs an incorrect password, and this drawback may cause a denial of service attack [13].Except for the attacks mentioned by Mishra et al., we find out that Yang et al. 's scheme does not resist the session key attack.In addition to this, we also discover that there are some mistakes in their scheme.
We proposed a new efficient and provable secure digital rights management authentication scheme using smart card based on elliptic curve cryptography [14][15][16].To demonstrate the scheme is provable secure, we introduce a security model AFP05 [17,18] and analyze our scheme in this model.In the following, we will give the proof that our proposed scheme is secure in the AFP05 model.As known to all, one-way hash function is more efficient than the operation of scalar multiplication and pairings [19][20][21].Moreover, the pairing operation costs much more than the scalar multiplication operation.The effort of evaluating one pairing operation is approximately three times the effort of evaluating one scalar multiplication operation.So, we cut down some pairings operation of point on elliptic curve and use hash function instead to increase the scheme's efficiency.
The structure of this paper is arranged as follows.In Section 2, we introduce the notations and definitions used in this paper.Section 3 reviews Yang et al. 's scheme, and Section 4 discusses its weakness analysis.We show the scheme details we propose in Section 5. Section 6 shows a formal security proof of the scheme, while Section 7 demonstrates the security analysis of our proposed scheme.In Section 8, we compare our proposed scheme with Yang et al. 's and Zhang et al. 's scheme.Section 9 concludes the paper.

Notations and Definitions
Let  1 be an additive group with an elliptic curve by the generator  and  2 a multiplicative cyclic group by the generator .And both of them have the prime order .Let  denote a computable bilinear map  :  1 × 1  →  2 satisfying the following three properties [10,12]: (i) Computability.Given ,  ∈  1 , there is an efficient algorithm to compute (, ).
Several commonly used notations and their descriptions are described after the Conclusions Section to facilitate the following references.

Review of Yang et al.'s Scheme
There are three phases in their scheme; they are, respectively, registration phase, mutual authentication and key agreement phase, and password update phase.

Registration Phase
3.1.1.User's Registration Section.In this part, a user  requests to be a legal user and the server  conducts the next operations.
U1 ( → : {ID  , PW  }).The user  generates his/her own identity ID  and password PW  freely.Then,  chooses a nonce   randomly and computes After that,  sends {ID  , PW  } to the server securely.
U2 ( → : {  ,  2 (⋅)}).After obtaining the message sent by , the server  begins to compute Then,  stores {  } in the verification table.Afterward, the server issues a smart card containing {  ,  2 (⋅)} and transmits it to  through a secure channel.

Device's Registration Section.
In this section, the device  requests to be authorized by the , and the following steps should be performed together with the server.
D1 ( → : {ID  }).The device  transmits its identity {ID  } to the server  through a secure channel.
D2 ( → : {  }).After obtaining the message sent by , the  begins to compute And it is sent to  via a secure channel.Afterward, the device's public key and secret key are   =  1 (ID  ) and   .
When the server receives the message, it computes and checks whether  2 is equal to  2 (  ⊕PW  ⊕PW   ).If this holds, the  will authenticate  and update   with    = PW   ⊕   .Otherwise, this authentication request is rejected.Then,  computes and checks whether If this holds, the device  is authenticated by .Otherwise, this authentication request is rejected.After that, the server generates two random strings  1 ,  3 , and a random number  2 . computes At last, the  replies with the message {ID  , ID  , ID  ,  1 ,  2 ,  3 ,  4 ,  5 ,  6 } to .The correctness of ( 8) is shown as follows: M4 ( → : {ID  , ID  ,  1 ,  2 ,  6 ,    3 (  1 )}).After receiving the message from ,  computes and checks whether If this holds, the server  is authenticated by the device .Otherwise, this authentication procedure fails.Then,  generates a random string   1 and computes Finally,  sends the message {ID  , ID  ,  1 ,  2 ,  6 ,    3 (  1 )} to the user .
The correctness of ( 12) is shown as follows: The   is the session key between  and device .P1 ( → : {  }).After the  inserts the smart card into a smart card reader and inputs his/her identity ID  , old password PW  and new password PW new .Then the smart card chooses a secret nonce    randomly to compute the following results: Then,  transmits   = { 1 ,  2 ,  3 } to .
P2 ( → : { 4 }).Once obtaining the message sent by , the  computes In addition to this, we also discover that there are some mistakes in their scheme.We will introduce our new discoveries in the following.

Session Key Attack.
If an attacker intercepted the message {ID  , ID  , ID  ,  1 ,  2 ,  3 ,  4 ,  5 ,  6 } which was sent from the server to the device and modified some data in it, the user and the device may establish different session key.So the attacker  can realize the session key attack as the following steps.
(2) After receiving the message,  computes and checks the equation Obviously, they are equal.Then,  generates a random string   1 and computes Finally,  sends the message {ID  , ID  ,  1 ,  2 ,  6 ,   3 0 (  1 )} to the user .In this step, the string  3 0 is not equal to the random string  3 generated by the server.
The correctness of ( 22) is shown as follows: ( Finally,  generates the session key   =  2 ( 1 ‖  10 ) shared with the device and sends the message {   3 ( 1 )} back to the device .In this step, the string   3 is equal to the random string  3 generated by the server and not equal to the string  3 0 computed by the device.
(4) Once obtaining the message sent by the user, the device computes 0 is the session key shared between the user  and the device .Obviously, the session key   computed by the user is different from the session key   0 computed by the device.So Yang et al. 's scheme suffers from the session key attack.

Some Mistakes.
In mutual authentication and key agreement phase, the identity ID  has not been sent to the device .But, when the device computes   =  3 (ID  ‖ID  ‖‖  ), it already knows the user's identity.
According to the common sense, if the user has not sent identity to the device, the device cannot obtain the user's identity.So there is a mistake in this phase.What is more, this mistake also exists in the password update phase of Yang et al. 's scheme.

Our Proposed Scheme
Based on Yang et al. 's scheme, our protocol also contains four phases: the registration phase, the login phase, the key agreement phase, and the password update phase.Algorithm 1 describes our scheme's registration phase.The login phase and the key agreement phase will be shown in Algorithm 2.
At last, we show the password update phase in Algorithm 3.
The detail is shown as the following.
5.1.Registration Phase.In our proposed scheme, the registration phase also can be divided into two parts: the user's registration phase and the device's registration phase.Our device's registration phase is the same as the device's registration phase in Yang et al. 's scheme.We will describe our user's registration phase as follows.
R1 ( → : {ID  , PW  , ID  }).An identity ID  and password PW  are chosen by user  freely.Then,  generates a nonce   randomly and computes After that,  sends {ID  , PW  , ID  } to the server  via a secure channel.

Login
Phase. inserts his/her smart card into a smart card reader and inputs his/her identity ID  and password PW  .Then the smart card begins to compute and checks whether   is equal to  2 (   ⊕    ).If this holds, it will authenticate the identity and password of the user.Otherwise, this user's request procedure is rejected.

User's Registration Phase:
Choose ID  and PW  Generate a random nonce Algorithm 1: The registration phase.

Key Agreement Phase.
There are six steps and five messages during each run of the proposed protocol.The details are as follows.
A1 ( → : { 2 1 }).Then, the smart card generates a secret string  1 randomly and computes Next  transmits the message Upon obtaining the message sent by , the  generates a number   1 randomly and computes Then,  transmits the message   2  = {ID  , , ,  2 1 } to the server .
A3 ( → : { 2 }).When the server received the message, it computes and checks whether (, ) is equal to (  ,  +    1 ⋅   ).If this holds, the device  is authenticated by .Otherwise, this authentication request is rejected.Then,  computes and checks whether  1 is equal to  2 (  ⊕   ⊕   1 ).If this holds, the user  is authenticated by .Otherwise, this authentication request is rejected.After that, the server  generates a random string  1 .Then  computes Finally, the  replies with the message  2 = { 1 ,  2 ,  3 ,  4 } to the device .A4 ( → : {  2  }).After receiving the message,  computes Algorithm 2: The login phase and the key agreement phase.
A5 ( → : { 2 2 }).The user  checks whether  3 is equal to  2 ( 1 ⊕    ⊕  2 ).If this holds, the user  authenticates the .Otherwise, this authentication procedure fails.After that,  computes Then, the user  checks whether   2 is equal to  2 (  ‖  ‖  1 ).If this holds, the device  is authenticated by the user .Otherwise, this authentication procedure fails. generates a random number  2 and computes where   is the session key shared between the user  and the device .Finally,  sends the message  2 2 = {  ,   } back to the device .
A6.After obtaining the message sent by the user, the device  checks whether   is equal to  2 (  ‖  ‖  1 ).If this holds, the user  is authenticated by the device .Otherwise, this authentication procedure fails.Then,  computes The    is the session key between the user  and the device .

Password
Next  transmits the message {ID  ,     ( 1 ),   1 (PW  ),  1 ,  2 } to the .C2 ( → : { 1 ,  2 }).Once obtaining the message sent by the user, the  computes and checks whether If this holds,  will accept the user's request.Otherwise, this request procedure is rejected.Then, the server  computes and sends the message { 1 ,  2 } back to the user .
C3.When the user received the message from the server, he/she computes and checks whether  2 is equal to  2 (   new ) ⊕  2 (PW new ⊕  1 ).If not, the request is rejected.Otherwise, the user computes and replaces   ,   , and   with   new ,   new , and   new , which are all saved in the smart card.

Security Model and Proof
In this part, the provable secure method will be employed to prove that our proposed protocol is provable secure in the models in [18].The queries defined in our improved AFP05 security model can be simulated using the SendClient, SendDevice, and SendServer queries repeatedly if we assume that there is at least one benign adversary which faithfully relays message flows.In our improved AFP05 security model, the notion of freshness is already embedded in the definition of the oracles.A Find-Then-Guess (FTG) model exists in our improved AFP05 security model, in which the semantic security is defined by a game with two phases.In the first phase, the adversary is able to adaptively execute SendClient, SendDevice, SendServer, Reveal, and Test query.In the second,  executes a single Test query and guesses a bit   for , where  is selected in the Test query.If   = , the adversary wins the game.Let Succ denote the event that the adversary correctly guesses the bit , and the advantage of  that attacks the protocol  is defined as A 3PAKA protocol  is considered semantically secure in FTG model if and only if Adv FTG−3PAKA  (, ) = max  {Adv FTG−3PAKA  ()} is negligible, where the maximum time executed by all the adversaries with time-complexity at most  and the number of queries at most .[10].Let ,  be two large prime numbers and  | ( − 1).Let  be a multiplicative subgroup of  *  , with prime number  order and element  0 generator.

Computational Diffie-Hellman Problem (CDH).
Given { 0 ,   0 ,   0 ∈ } and , ∈   *  , it is hard to compute   mod .The probabilistic polynomial time Turing Machine denoted as Δ, the probability of which could successfully solve CDH problem in , is defined as Proof.We define several attack games from Game  0 to Game  6 .For each game   , Succ  denotes the event that  has successfully guessed the bit  in the test session.The games are listed as follows.
(ii) For a query Reveal (  /  ), we proceed as follows: (a) If no session key is defined for instance   /  or if either   /  or its partner is asked a Test query, the output is ⊥.Otherwise the output of this query is   which is defined for the instance   /  .
(iii) For a query Test (  /  ), we proceed as follows: (a) If no session key is defined for instance   /  or if either   /  or its partner is asked a Reveal query, the output is ⊥.Otherwise, the oracle flips a bit .If  = 1, the session key is output.Otherwise, a value randomly chosen from the distribution space of session key is output.
Game  0 .This is the actual attack game.According to the definition, we have Adv Game  2 .In this game, all the oracles simulated are almost the same as in the game  1 , but here, we avoid some collisions in the transcripts.The hash oracles  1 (⋅),  2 (⋅), and  3 (⋅) may collide with different input values.We use the following rule.
(v) For a query SendDevice(  ,  2 2 ), we proceed as follows if instance   is in an expecting state: (a) Rule 4 (1) : We check whether  2 (  ‖  ‖  1 ) =   .If the equation does not hold, instance   terminates without accepting.Otherwise, instance   accepts and applies the following rule.

Security Analysis of Our Scheme
To get over the problems existing in Yang et al. 's scheme, we proposed a provable secure and efficient authentication scheme using smart card based on elliptic curve cryptography.In this part, we will show that the scheme we proposed is secure against various attacks [23,24].
Mathematical Problems in Engineering

Denial of Service Attack.
In some schemes [10,[25][26][27], both of the server and user need to update some shared data in their smart card or verifier table after the key agreement phase or the authentication phase.The attacker can eavesdrop, intercept, and modify any transmitted messages on the public channel.And the behavior of the attacker may cause the difference of the shared data between the user and the server.So, these schemes cannot resist the denial of service attack.In our proposed scheme, the user and the server have not needed to update some data in their smart card or verifier table.Thus, the attacker no longer can perform the denial of service attack.

Efficient Login Phase.
To improve the efficiency of our proposed scheme, before the key agreement phase, the smart card checks the correctness of user's identity and password.In the login phase of our scheme, when the user  inputs his/her identity ID  and password PW  , the smart card checks the correctness of ID  and PW  firstly through the equation   =  2 (  ⊕  2 (PW  ⊕   ) ⊕   ⊕ ID  ).If it does not hold, the smart card reject 's request.Otherwise, it authenticates the legality of the user  and turns to the key agreement phase.

Session Key Attack.
Firstly, the security of the session key in our scheme is based on the computational Diffie-Hellman problem.Secondly, the session key is generated by the random numbers, which are randomly selected by the user and the device, respectively.At last, before computing a session key, both of them must authenticate each other [28].
Based on the reasons mentioned above, the attacker cannot perform the session key attack.

Insider Attack.
Because of without verifier table in this system, the insider cannot acquire any secret data from the server's system.In addition, the insider cannot obtain   without the server's private key.And the adversary has no idea to derive the secret data   from all messages he/she can achieve.Thus, he/she cannot impersonate a legal user   to pass the authentication of the server and the device, or the server   to deceive a legal user.Therefore, the proposed scheme is able to withstand the insider attack.
7.6.Replay Attack.If the 's message  2 1 is intercepted and resent to the device by the attacker, the message   2  is computed and sent to the server by the device.Obviously the user and the device can through the server's certification, and the server responses the message  2 to the device.After that, the device can authenticate the server and sends the message   2  to the attacker.The attacker can acquire nothing from   2  .So, he/she cannot send a legality message  2 2 to the device.The device must not establish a session key with the attacker [29].In the same way, if the attacker replays the device's message, he/she also cannot pass the user's authentication.

Performance Comparisons
In this part, our proposed scheme's performance will be evaluated compared with some other schemes [10,12].The comparison is summarized in Table 1.We define seven parameters of time complexity which are adopted in the schemes mentioned above as follows.
(iv)   : The time complexity of executing a pairings operation of point on elliptic curve.
(v)   : The time complexity of executing a scalar multiplication operation of point on elliptic curve.
(vi)   : The time complexity of executing an addition operation of point on elliptic curve.
(vii)   : The time complexity of executing a symmetric key computation.
A comparison of our proposed scheme and that of Zhang et al. and Yang et al. is summarized in Table 1.It is known to all that one-way hash function is more efficient than the operation of scalar multiplication.Moreover, the pairing operation costs much more than the scalar multiplication operation.The effort of evaluating one pairing operation is approximately three times the effort of evaluating one scalar multiplication operation.Therefore our proposed scheme performs better than Zhang et al. 's scheme and Yang et al. 's scheme.Consequently, our proposed scheme is much more suitable for practical applications.

Conclusions
We have analyzed the scheme of Yang et al. and pointed out, except the attacks mentioned in Mishra et al. paper, their scheme suffers from the session key attack and has some mistakes.We propose a new provable secure and efficient digital rights management authentication scheme using smart card based on elliptic curve cryptography to surmount the problems in Yang et al. 's.And we demonstrate that the new scheme is provable secure under the model AFP05 introduced in this paper.Because hash function is used to replace the operations of point on elliptic curve and the symmetric key computation in our scheme, our scheme

𝑈:
Th eu s e r : Th es e r v e r : Th ed e v i c e : The attacker ID  : Th eu s e r's identity : Th es e c r e tk e yo ft h es e r v e r

3. 3 .
Password Update Phase.When the user requests to change the password PW  to a new one (PW new ), he/she should perform the next procedures.

4. Cryptanalysis of Yang et al.'s Scheme
) and checks whether  2 is equal to  2 (  ⊕ PW  ⊕ PW   ⊕ PW new ).If it holds, the  will accept the user's request and update the verifier    = PW new ⊕   .Otherwise, this request procedure is rejected.Then, the server  transmits the message { 4 } back to the user .P3.Once the user obtains the message sent by the server, he/she checks whether  4 is equal to  2 (PW new ⊕   ).If this holds, the user replaces   and   with    and    , where    =   ⊕ PW  ⊕ PW new .
3) Because  did not modify the message {ID  , ID  ,  1 ,  2 , },    1 ( 2 ) ⊕   is equal to  2 (ID  ‖ID  ‖  1 ).Then,  updates   and   .After that,  generates a random string  1 and computes Input ID  and PW  Compute PW  =  2 (PW  ⊕   )    =   ⊕ PW  ⊕  2 (ID  )    =   ⊕ ID  Check   t  2 ( ,   with   new ,   new ,   new Algorithm 3: The password update phase of our scheme.(   ‖   ‖  ‖  ‖ 1 ‖ 3 ).If this holds, the  is authenticated by the device .Otherwise, this authentication procedure fails.Then,  generates a random number   2 and computes Update Phase.When the user requests to update his/her password PW  to a new PW new , he/she should perform the next procedures.C1 ( →  : {ID  ,     ( 1 ),   1 (PW  ),  1 ,  2 }). inserts his/her smart card into a smart card reader and inputs his/her identity ID  , old password PW  , and new password PW new .Then the smart card checks whether   is equal to  2 (  ⊕  2 (PW  ⊕   ) ⊕   ⊕ ID  ).If this holds, it will authenticate the identity and password of the user.Otherwise, this user's password update request procedure is rejected.After this, the smart card generates a secret string  1 randomly and computes [18]ecurity Model.In 2005, Abdalla et al. proposed a security model AFP05, which is suitable for the three-party authenticated key agreement scenario.It contains two types of participants, such as the client and the trusted server[18].But there are three types of participants in our proposed protocol, Reveal(  /  ).If no session key is defined for instance   /  or if either   /  or its partner is asked a Test query, the result of this query is the invalid symbol ⊥.Otherwise the session key generated by the instance   /  is returned.
a user, a trusted device, and a trusted server.So we add a query SendDevice in our security model.During the execution of the protocol,  and  have many instances, respectively.anddenotetheth instance of  and the th instance of .There exists one state of accept, reject, and ⊥ in an oracle.If the oracle gets correct message, it turns the accept state; otherwise, it turns reject.⊥meansthatnodecision has been reached or no result has been returned.The adversary , which is abstracted as a probabilistic polynomial time Turing Machine, interacts with other participants through a bounded number of queries which model the capabilities of the adversary in an actual attack.The queries are listed as follows.SendClient(  , ).After receiving message  sent by the adversary, the   generates a message and outputs as the result of this query.A query SendClient(  , Start) begins a new key agreement process.SendDevice(  , ).After receiving message  sent by the adversary, the   generates a message and output.SendServer(, ).After receiving message  sent by the adversary, the  generates a message and output.Test(  /  ).If no session key is defined for instance   /  or if either   /  or its partner is asked a Reveal query, the result of this query is the invalid symbol ⊥.Otherwise, the oracle flips a coin .If  = 1, the session key is output.Otherwise, a value randomly chosen from the distribution space of session key is output.
Let  1 be an additive point group with an elliptic curve by the generator  and  and  are elements of  1 . is able to compute the value of  only with  and  in time  at most The hash functions  1 (⋅),  2 (⋅), and  3 (⋅) are modeled as random oracles.Let  be an adversary against our protocol  within time .We denote that  1 ,  2 , and  3 , respectively, represent the number of  1 (⋅),  2 (⋅), and  3 (⋅) oracle queries executed by , and   ,  V , and   denote the number of SendClient queries, SendDevice queries, and SendServer queries.Then, = { 1 ,  2 ,  3 ,   ,  V ,   } and   ≤  + (  +  V +   )  , with   denoting the computational time of one scalar multiplication in  1 .
)CDH Assumption.For any probabilistic Turing Machine Δ, the probability of Succ CDH  (Δ) is negligible.
ℎ stores answers of random oracles  1 (⋅),  2 (⋅), and  3 (⋅).  is denoted for random oracle query asked by .  is for the transcripts in the channel.We simulate the SendClient, SendDevice, SendServer, Reveal, and Test queries as in the actual attack.We list hash, Reveal, Test queries in Hash, Reveal, Test Queries and SendClient, SendDevice, SendServer queries in SendClient, SendDevice, SendServer Queries.Obviously, game  0 and game  1 are indistinguishable.So we have Pr [Succ 1 FTG−DRM  () =     2 Pr [Succ 0 ] − 1     .(49)Otherwise,werandomly generate a bit   if the game aborts or stops without answer from  or  has not finished the game.Game  1 .We simulate all the oracles for each query and keep three lists to store the oracles answers.
7.1.Smart Card Loss Attack.The smart card of user  contains {  ,   ,   ,   , ,  2 (⋅),   (⋅)/  (⋅)}.If the smart card of the user  is stolen by the attacker, he/she could only get the secret data   ,   ,   , and   from it; other data in the smart card is public to all clients.However, he/she does not know the identity ID  or the password PW  of .As a result, he/she cannot use the secret data   ,   ,   , and   to impersonate the user  to pass the authentication of the server and the device.As the result, our scheme can resist the smart card loss attack.
: Th ep u b l i ck e yo ft h es e r v e r and   =  PW  : Th eu s e r's password   : Th ep u b l i ck e yo ft h eu s e r and   =  1 (ID  )  1 (⋅): {0, 1} *  →  1 , a one-way hash function maps an arbitrary length bit string into a member of group  1 . 2 (⋅): {0, 1} *  → {0, 1}  , a one-way hash function maps an arbitrary length bit string into a -bits string. 3 (⋅): {0, 1} *  →  *  , a one-way hash function maps an arbitrary length bit string into a random member in group  *  .  (⋅)/  (⋅): The symmetric encryption/decryption algorithm using key ⊕: Th eb i t w i s eX O Ro p e r a t i o n ‖:String concatenation operation.