Efficient Hierarchical Authentication Protocol for Multiserver Architecture

The multiserver architecture authentication (MSAA) protocol plays a significant role in achieving secure communications between devices. In recent years, researchers proposed many new MSAA protocols to gain more functionality and security. However, in the existing studies, registered users can access to all registered service providers in the system without any limitation. To ensure that the system can restrict users that are at different levels and can access to different levels of service providers, we propose a new lightweight hierarchical authentication protocol for multiserver architecture using a Merkle tree to verify user’s authentication right. The proposed protocol has hierarchical authentication functionality, high security, and reasonable computation and communication costs. Moreover, the security analysis demonstrates that the proposed protocol satisfies the security requirements in practical applications, and the proposed protocol is provably secure in the general security model.


Introduction
Rapid advances in wireless communication technologies bring convenience to our lives. With an increasing number of users and services, the single-server architecture authentication protocols can no longer meet people's various requirements [1]. Multiserver architecture authentication (MSAA) protocols have emerged and been widely used in the Internet of things, wireless sensor networks, smart grid, cloud computing, and mobile payment. Because MSAA protocols have better properties than single-server architecture authentication protocols [2,3], it becomes a hot spot in current research.
However, due to the openness of the multiserver environment, an adversary can easily control communication channels and carries out many types of attacks such as intercept, modify, replay, and delay messages between multiple parties. For defending these attacks, researchers proposed many authentication protocols for the multiserver architecture that are using cryptographic methods to secure communication between different parties. New protocols also have lower computation and communication costs than the previous protocols. Currently, MSAA protocols can be divided into two types by whether it involves the registration center (RC) at the authentication phase. e first type is MSAA protocols with the RC involving at the authentication phase (MSAA1) [1,2,[4][5][6][7][8][9][10][11], and the second type is MSAA protocols without RC involving at the authentication phase (MSAA2) [12][13][14][15][16][17][18][19][20][21][22][23]. In MSAA1 protocols,RC verifies every mutual authentication process, which makes it a bottleneck in MSAA1 protocols. e communication cost in MSAA1 protocols is significantly increased compared to MSAA2 protocols. To address these drawbacks, researchers proposed many MSAA2 protocols which have more efficiency and security than the existing MSAA1 protocols [14].
Currently, hierarchical authentication functionality is missing in the existing MSAA2 protocols. When a user registered at RC, he/she can authenticate with all registered service providers [24] and access to their services. However, there are many different users and service providers in this system, and the user's level is different from each other, and low-level users should not successfully authenticate with high-level service providers and access to their services. Besides, there should be some high-level service providers only providing service for some particular users such as VIP users. In general, the MSAA protocols with the hierarchical authentication functionality will have flexibility in managing user authentication rights and access capabilities. e hierarchical authentication functionality has been achieved in the MSAA1 protocol [2,4]. In the MSAA1 protocol, an RC is required at the authentication phase. erefore, RC can verify the user's authentication rights to determine whether he/she can access to service providers that are at a particular level. However, MSAA1 protocols have several drawbacks such as unreasonable communication cost that we showed earlier, making the whole system inefficient. Suppose we apply the existing MSAA2 protocols to the above environment; there should be multiple RCs to manage users and service providers at different levels. Users and service providers need to store various certificates from different RCs. e missing of hierarchical authentication functionality in the existing MSAA2 protocols motivates us to design a new lightweight hierarchical authentication protocol for multiserver architecture. e proposed protocol uses a self-constructed Merkle tree to achieve hierarchical authentication functionality. In the proposed protocol, a session key is established between service providers and users without involving RC; this significantly reduces communication cost and makes the authentication process faster. e proposed protocol can meet the security requirements of the multiserver architecture and is provably secure in general security model. e remainder of this paper is organized as follows. Section 2 discusses the related work. Section 3 describes preliminaries. In Section 4, we show the details of the proposed protocol. Section 5 gives out the formal security proof of the proposed protocol. Section 6 presents a comparison of the proposed protocol with other related protocols on security, computation, and communication costs. Section 7 concludes the paper.

Related Work
Li et al. [1] proposed a new multiserver architecture authentication (MSAA) protocol for cloud computing based on the identity-based model. Shao and Chin [4] proposed an authentication protocol for multiserver architecture but failed to resist the server spoofing and the impersonation attacks. He and Wang [5] constructed the first genuinely three-factor authentication protocol for the multiserver architecture, but their protocol is vulnerable to the known session-specific temporary information attack and impersonation attack. Odelu et al. [6] proposed an improved protocol to solve the security drawbacks in [5]. Xie et al. [7] proposed a two-factor authentication protocol. However, Xie's protocol cannot resist the lost smart card attack and the offline dictionary guessing attack. To address the drawbacks, Chandrakar and Om [8] proposed a new security-enhanced three-factor protocol. Feng et al. [9] proposed an enhanced biometrics-based authentication protocol that can provide user anonymity. Amin et al. [10] proposed a lightweight authentication protocol that has lower computational and communication costs. Cui et al. [11] proposed an efficient protocol that only uses nonce, exclusive-OR operation, and one-way hash function; their protocol greatly reduces the computation cost. However, in this kind of protocol, they all need the help of an online registration center to achieve mutual authentication, which increases the communication cost.
In order to solve the drawbacks in the first type protocol, Choi et al. [12] proposed the first MSAA protocol without the online registration center. Tseng et al. [13] proposed a list-free ID-based authentication protocol using bilinear pairings for the multiserver architecture. However, Tseng et al. [13] cannot provide credentials privacy and untraceability for users. Recently, Odelu et al. [14] and He et al. [15] proposed new protocols that reduce the computation and communication costs. Irshad et al. [16] found protocol in [17] cannot achieve desired security goals. erefore, they proposed an improved multiserver authentication protocol for distributed mobile cloud computing services. Afterward, Xiong et al. [18] found protocol in [16] has unreasonable computation cost, so they proposed an enhanced protocol for distributed mobile cloud. At the same time, Xiong et al. [19] proposed a new lightweight anonymous authentication protocol to reduce computation and communication costs. Barman et al. [25] used fuzzy commitment approach to secure the information stored on personal device. Kumari et al. [20] proposed a concept of the fuzzy extractor to provide the proper matching of biometric patterns. Xu et al. [21] proposed a new protocol that provides untraceability. Jiang et al. [22] performed a security analysis to the protocol in [17], pointing out that it is vulnerable to the impersonation attack. Chatterjee et al. [23] proposed a biometricbased protocol using the chaotic map and enhanced the security for multiserver architecture. We summarize techniques, advantages, and disadvantages that the existing protocols used in Table 1.

Preliminaries
In this section, we introduce preliminaries of the proposed protocol.
Let G 1 and G 2 be an additive cyclic group and a multiplicative cyclic group, both of them have a large prime order q. Let e: G 1 × G 1 ⟶ G 2 denote a bilinear map. Suppose P is a generator of G 1 , g is a generator of G 2 . A bilinear map e has the following properties: (i) Bilinearity: for all P, Q ∈ G 1 and for all a, b ∈ Z * q , e(aP, bQ) � e(P, Q) ab (ii) Computability: there exists an algorithm that can successfully compute e(P, Q) for all P, Q ∈ G 1 (iii) Nondegeneracy: there exists P, Q ∈ G 1 such that e(P, Q) ≠ 1, where 1 is the identity element of G 2 We list the hard problems that we used in the proposed protocol as follows: (i) Discrete logarithm (DL) problem: given an element x ∈ G 2 , it is hard to compute a ∈ Z * q such that x � g a (ii) Computational Diffie-Hellman (CDH) problem: given two elements g a , g b ∈ G 2 , it is hard to compute g a·b ∈ G 2 , where a and b are unknown and randomly chosen from Z * q (iii) Modified Bilinear Inverse Diffie-Hellman with k value (k-mBIDH) problem [12]: given k elements α 1 , α 2 , . . . , α k (α i ∈ Z * q ) and k + 2 elements τ · P, η · P, (1/(τ + α 1 )) · P, (1/(τ + α 2 )) · P, . . . ,(1/ (τ + α k )) · P} each of them is in G 1 , it is hard to compute e(P, P) η/(τ+α) , where α ∉ α 1 , α 2 , . . . , α k and τ and η are two unknown elements in Z * q A security system parameter generator used in the proposed protocol is introduced below.
Gen(·): the system parameter generator takes a security parameter n and outputs system parameters, a bilinear map, an elliptic curve, a multiplicative group, etc. Intuitively, the system parameters will be publicly known. e notations used in the proposed protocol are listed in Table 2.

RC Initialization Phase.
Registration center runs the generation function Gen(1 n ) which takes a security parameter n ∈ Z + and outputs parameters as follows: (1) RC chooses two bilinear map groups G 1 and G 2 with a prime order q, the generator P ∈ G 1 and g � e(P, P) ∈ G 2 , where e: G 1 × G 1 ⟶ G 2 is a bilinear map. (2) RC chooses cryptographic hash functions H 1 : RC chooses a random number s⟵ R Z * q as the master key, computes the corresponding public key P pub � sP ∈ G 1 , and constructs an authentication right tree T as Figure 1. e detail of the tree will be described in Section 4.5. Finally, RC publishes G 1 , G 2 , q, e, P, P pub , g,

User Registration
Phase. If a user U i wants to register with the registration center RC, the following steps will be executed. e main steps are provided in Table 3.
(1) U i sends his/her identity ID U i to RC via a secure channel. Identity-based Lightweight and efficient Cannot provide user anonymity [4] Identity-based Provides user anonymity, resists server spoofing attack and impersonation attack, etc.
Cannot resist server spoofing attack and impersonation attacks [5] Biometrics-based First truly three-factor authenticated scheme Cannot resist known session-specific temporary attack and the impersonation attack [6] Biometrics-based Provides secure authentication and resists passive and active attacks Needs registration center online for authentication [7] Identity-based Security enhanced and supports smart card revocation and password update without centralized storage Cannot resist the lost smart card attack and the offline dictionary guessing attack [8] Biometrics-based Efficient in terms of computation cost, communication cost, and resists smart card storage cost High maintenance cost [9] Biometrics-based Incurs low overhead, suitable for deployment at mobile devices Needs registration center online for authentication [10] Two-factor-based Security enhanced, lightweight, and efficient Needs registration center online for authentication [11] Identity-based Resists the server spoofing attack Needs registration center online for authentication [12] Identity-based Does not need registration center online for authentication Cannot provide hierarchical authentication [13] Identity-based Provides black/white list-free and simple revocation mechanism Cannot provide credentials privacy and untraceability [14] Identity-based Provides SK-security and strong credentials' privacy Cannot provide hierarchical authentication [15] Identity-based Uses the self-certified public key cryptography and has lower computation and communication costs Cannot provide hierarchical authentication [16] Two-factor-based Resists server spoofing attack, desynchronization attack, and denial-of-service attack Cannot provide hierarchical authentication [17] Two-factor-based Reduces authentication processing time required by communication and computation between cloud service providers and traditional trusted third-party service Cannot resist service provider impersonation attack and has no user revocation facility [18] Biometrics-based Provides three-factor security, user revocation, and reregistration Cannot provide hierarchical authentication [19] Biometrics-based User anonymity, perfect forward secrecy, and resistance to desynchronization attack Cannot provide hierarchical authentication [21] Two-factor-based Provides user untraceability and perfect forward security Cannot provide hierarchical authentication [23] Biometric-based Uses chaotic map to improve efficiency Cannot provide hierarchical authentication (2) RC selects an authentication parameter KR i ∈ T and computes the U i 's private key where e is the expire date of the private key and T is an authentication right tree. RC chooses a parameter a i ∈ T and sends d U i , a i to U i via a secure channel.
tractor generation procedure f(·) [26], where σ i is a biometric key, θ i is a public reproduction parameter, and b i is his/her personal biometrics. U i computes A � d U i ⊕ H 3 (pw‖σ i ) and uses the widely implemented fuzzy-verifier technique [27,28] , where pw is his/her password and n 0 is the integer that defines in [27]. Finally, where t is the threshold in fuzzy extractor, f(·) is the probabilistic generation procedure for outputting is the deterministic reproduction procedure that can recover σ i and θ i from a new personal biometrics input.

Service Provider Registration
Phase. If a service provider S j wants to register with the RC, the following steps will be executed. e main steps are provided in Table 4.
(1) S j sends his/her identity ID S j to RC via a secure channel.
(2) RC computes the private key d S j � (1/(s + H 1 (ID S j ))) · P for S j and sends d S j , T to him via a secure channel, where T is an authentication right tree for service provider. We will describe the detail of T in Section 4.5.
(3) Finally, S j saves d S j , T .

User and Service Provider Authentication Phase.
In this part, we show the mutual authentication phase between a user and a service provider without involving RC. e main steps are provided in Table 5.
(1) First, U i inputs his/her biometrics b i , identity ID U i and password pw into his/her mobile device.
and verifies the validity of inputted biometrics and password by computing B * � ? B. If it holds, mobile device retrieves and temporarily saves ID U i . en, U i selects a temporary session secret r 1 , calculates r 1 � H 1 (r 1 ‖d U i ), and computes g 1 � g r 1 , C � r 1 · (H 1 (ID S j )P + P pub ) by using the identity of S j . Next, If both are equal, U i is allowed to authenticate with S j . en, S j selects a temporary session secret r 2 , then he/she calculates r 2 � H 1 (r 2 ‖d S j ) and computes g 2 � g r 2 , and session key is set as 2 ) � H 2 (g r 1 r 2 )and G * � H 4 (sk‖g 1 ‖g 2 ‖ID S j ‖C) and checks whether G and G * are equal. If both are not equal, U i aborts the session. Otherwise, U i confirms S j as a valid service provider and sets sk as session key between U i and S j .

Tree Construction and Verification.
e proposed protocol uses an authentication right tree T to store user's and service provider's hierarchical authentication information. T is a Merkle hash tree that was introduced by Merkle [29] in 1998. Merkle hash tree is a digital signature scheme that only uses a conventional encryption function to compute the digital signature, making it extremely efficient. In 2009, Satoshi proposed a peer-to-peer electronic cash system, as known as bitcoin [30]. Bitcoin system stores transactions in Merkle hash tree, which saves disk space, and this method can be used to verify transactions in each block. erefore, we use a Merkle hash tree to construct our authentication right tree. In this part, we will show how we construct an authentication tree and how to verify a user's authentication right based on the rules of Merkle hash tree.

Tree Construction.
First, we introduce the construction of the authentication right tree T as Figure 1. An authentication tree T contains the information of n different levels. e first level is the lowest level in the system, and the n th level is the highest level in the system. Node KR i denotes a user that has the authentication right which is from the first level to i th level. Value stored in node KR i is computed from the hash values of its left child node KR i− 1 and right child node L i as KR i � H 4 (KR i− 1 ‖L i ). e calculation of node KR 1 as KR 1 � H 4 (L 1 ) is different from other KR nodes. If a user is at the first level, KR 1 is embed in his/her private key, and he/she can only access to first level service providers in this system. If user is at i th level, KR i is embed in his/her private key, and he/she can access to service providers which are from first to i th levels. e right accepts/rejects ? G, and accepts/rejects sk Security and Communication Networks child node L i is an intermediate variable, which prepares for calculating KR i . Value stored in node L i is computed from the hash values of its left leaf node a i and right leaf node a i as L i � H 4 (a i ‖a i ). Leaf node a i and a i are two 160bit random strings that are stored on user and service provider separately. If a user is at i th level, number i is stored in the last log n 2 bits, and the first (160 − log n 2 ) bits should be a random string.

Tree Stored on Service Provider.
e authentication right tree T stored on the service provider has a little different from T. Service provider uses T to verify user's authentication right. e scale of T stored on each service provider is based on the level of service provider. As we mentioned above, n th level is the highest level in the system. If service provider is at n th level, he/she only provides service for n th level user, so he/she only needs to save the authentication right tree T as Figure 2. If service provider is at the j th level, he/she can provide service for user that is from j th to n th level. erefore, he/she needs to save a j to a n and KR j− 1 to KR n as Figure 3, where the symbol "?" denotes the node that service provider does not have.

Authentication Right Verification.
When an i th level user wants to access a j th level service provider, where i ≥ j, user sends a i to service provider, and when service provider received authentication parameter a i , he/she checks the last log n 2 bits of a i to get user's level and finds a i . Service provider computes the value of L i as L i � H 4 (a i ‖a i ) and the value of KR i as KR i � H 4 (KR i− 1 ‖L i ).
en service provider verifies user's authentication right by calculating e(E, H 1 (ID U i ‖e‖KR i ) · P + P pub )� ? g 1 · g D . If the equation holds, service provider continues. Otherwise, he/she aborts the session. For instance, if a 10 th level user wants to access to a 5 th level service provider, user sends a 10 to service provider, and when service provider received authentication parameter a 10 , he/she checks the last log n 2 bits of a 10 to get user's level and finds a 10 . Service provider computes L 10 � H 4 (a 10 ‖a 10 ) and KR 10 � H 4 (KR 9 ‖L 10 ). Service provider verifies user's authentication right by calculating e(E, H 1 (ID U i ‖e‖KR 10 ) · P + P pub )� ? g 1 · g D . If the equation holds, service provider continues. Otherwise, he/she aborts the authentication.

e User Revocation and Reregistration Phase.
Revocation and reregistration has been used in many protocols [31,32]. In this part, we describe user revocation and reregistration. When a user U i lost his/her smart card, he/she needs to reregister. U i submits his/her personal information to RC, and then, RC verifies U i 's personal information and checks the expire date of the private key d U i . If d U i has already expired, RC issues U i a new private key with a new expire date. If d U i has not expired, RC issues U i a new ID and a new private key with the same expire date as the lost smart card. RC adds the lost ID U i to its ID revocation list (IDRL) and board casts ID U i to all service providers. After received ID U i , service providers save it into their local storage.

Security Proof
In this section, we analyze the security of our protocol. First, we present a security model for our protocol, which is based on Bellare-Rogaway (BR) model [33] and CK-adversary model [34], and we use Zipf's law [35] to enhance the security of the base model. Second, we show that the security of the proposed protocol is based on the hardness of mathematical problems. ird, we show that our protocol satisfies security requirements.

Security Model.
We propose a security model for the proposed protocol based on literature studies [5,15,27,33,36].
ere are U i and S j at the authentication phase of the proposed protocol. e security of the proposed protocol is defined by a game played between an adversary A and a challenger C. Let Π l Λ denote the l th instance of the participant of Λ ∈ U i , S j , respectively. In this game, we describe the capabilities of A that is defined in the literature [27] as follows: (i) A can enumerate offline all the items in the Cartesian product D id ⋆ D pw within polynomial time, where D pw and D id denote the password space and the identity space, respectively (ii) A has the capability of somehow learning the victim's identity when evaluating security strength (but not privacy provisions) of the protocol (iii) A is in full control of the communication channel between the protocol participants (iv) A may either (i) learn the password of a legitimate user via malicious card reader or (ii) extract the sensitive parameters in the card memory by sidechannel attacks, but cannot achieve both (v) A can learn previous session keys (vi) A has the capability of learning server's longtime private keys only when evaluating the resistance to eventual failure of the server (e.g., forward secrecy) A can issue queries to C and get answers from it as follows: (i) H i (q j ): at any time, A issues query q j where q j can be any string, and C picks a random number r j ∈ Z * q and stores 〈q j , r j 〉 into list H list i , where i ∈ 1, 2, 3, 4 { } and j ∈ poly(n) . Finally, C sends r j to A. After issuing the queries above, A outputs b ′ , where b ′ is about the coin b produced in Test (Π l Λ )-query. A violates the authentication key agreement (AKA) of the proposed protocol Σ, if A can guess b correctly. We define A's advantage in attacking the proposed protocol Σ as Adv AKA

Proof of Security.
In this part, we show the proposed protocol Σ for multiserver architecture is AKA-secure and MA-secure in the security model we described above.

Lemma 1. No polynomial-time adversary A can forge a legal login message with a nonnegligible probability ϵ.
Proof. Suppose the adversary A forges a legal login message with a nonnegligible probability ϵ. We show there is a challenger C who can solve the discrete logarithm (DL) problem with a nonnegligible probability.
Given an instance (g, g s ) of the DL problem, the aim of challenger C is to compute s ∈ Z * q , and C sends the system parameters G 1 , G 2 , q, e, P, P pub , g, H 1 , H 2 , H 3 , H 4 to A. C randomly selects ID U i and answers A's queries according to the following description: (i) H i (q j ): C maintains a list H list i initialized empty. Upon receiving the query q j , C checks if 〈q j , r j 〉 exists in H list i . If yes, C sends r j to A; otherwise, Crandomly picks r j ∈ Z * q and stores 〈q j , r j 〉 in H list i then sends r j to A, where j ∈ poly(n) .
otherwise, C executes the operations as follows: initialized empty. When receiving the query ID S j , If yes, C send d S j to A; otherwise, C randomly picks r d S j ∈ Z * q and computes d S j � (1/(s + r d S j )) · P. C stores : C checks if Λ and U ch are equal; if yes, C aborts the game; otherwise, C operates according to protocol Σ.
(v) SKReveal (Π l Λ ): after received the query, C sends session key produced in Π l Λ to A.
and returns d S j to A. (viii) Test (Π l Λ ): C randomly picks a number with the same length of session key and sends it to A.

At last, A outputs a legal login message C, E, F
{ } corresponding to user's identity ID U i . If ID U i ≠ ID U ch , C aborts the game. Based on the forking lemma [37], A can output Security and Communication Networks another legal login message (C, E ′ , F ′ ). Because the login messages is legal, we get the following two equations, g U i is computed by rising g to the power of a random number chose by A: (1) Based on the two equations above, we get the following equations: as the solution to the given DL problem. e probability that C can solve the DL problem is described as follows: (i) E 1 : C dose not abort in the any Send-queries (ii) E 2 : A outputs a legal login request (iii) E 3 : ID U i and ID U I are equal Let l denote the number of bits in biometric data, q Send and q H 1 denote the number of Send-queries and H 1 -queries executed in the game, C ′ and s ′ are the Zipf's parameters [35], and l is the length of biometric information. We can get Pr[ erefore, the nonnegligible probability that C can solve the DL problem is given by is contradicts with the hardness of the DL problem. erefore, we get that no polynomial-time adversary against the proposed MSAA protocol can forge a legal login message with a nonnegligible probability.

Lemma 2. No polynomial-time adversary A can forge a legal response message with a nonnegligible probability.
Proof. Suppose the adversary A forges a legal response message with a nonnegligible probability ε. We show there is a challenger C who can solve the k-mBIDH problem with a nonnegligible probability.
Given an instance (P, y · P, z · P, (1/(y + α 1 )) · P, (1/(y + α 2 )) · P, . . . , (1/(y + α k )) · P ∈ G 1 ) of the k-mBIDH problem, the aim of challenger C is to compute e(P, P) s/(y+α) ; he picks a random number x ∈ Z * q and computes x · P, y · P, and sends the system parameters G 1 , G 2 , q, e, P, P pub , g, H 1 , H 2 , H 3 , H 4 } to A. C randomly selects ID U i and answers A's queries according to the following description: Upon receiving the query q j , C checks if 〈q j , r j 〉 exists in H list i . If yes, C sends r j to A; otherwise, C randomly picks r j ∈ Z * q and stores 〈q j , r j 〉 in H list i then sends r j to A, where j ∈ poly(n) .
and then C sends d S j to A; otherwise, C executes the operations as follows: : C checks if Λ and S ch are equal; if yes, C aborts the game; otherwise, C operates according to the proposed protocol Σ.
Finally, A outputs a response message corresponding to identity ID S j . C outputs g 1 as the solution of k-mBIDH problem. e probability that C can solve the k-mBIDH problem is described as follows: (i) E 1 : C dose not abort in any Send-queries (ii) E 2 : C outputs a legal response message (iii) E 3 : ID S J and ID S ch are equal Let q Send , q H 1 , and q H 2 denote the number of Responsequery, H 1 -query, and H 2 -query in the game. We can get Pr[ erefore, the nonnegligible probability that C can solve the k-mBIDH problem is given by is contradicts with the hardness of the k-mBIDH problem.
erefore, we get that no polynomial-time adversary against the proposed MSAA protocol can forge a legal response message with a nonnegligible probability. Proof. Based on Lemmas 1 and 2, we get no polynomial-time adversary can forge a legal login message or a legal response message if the DL problem and the k-mBIDH problem are hard. erefore, we get the proposed protocol is MA-secure. □ Theorem 2. e proposed protocol is AKA-secure if the CDH problem is hard.
Proof. Suppose A guesses b correctly in Test-query with a nonnegligible probability ϵ, then C can solve the CDH problem with a nonnegligible probability.
Let E sk denote the event that A gets the correct session key. Since the probability that A correctly guesses the value b is at least 1/2, we can get Pr[E sk ] ≥ (ε/2).
Let E TU and E TS denote the events that A uses in the Test-query to a user's instance and a service provider's instance, respectively. Let E U,S { } denote the event that A can violate the user to service provider authentication. We get the following two equations: We get the probability as follows: According to the proof of Lemma 1, we get Pr[E U,S { } ] is negligible. However, (ε/4) − ((Pr[E U,S { } ])/2) is nonnegligible, suppose that x � g r 1 , y � g r 2 where r 1 , r 2 ∈ Z * q . Given an instance (x, y) of the CDH problem, A computes z � g r 1 ·r 2 with a nonnegligible probability (ε/4) − ((Pr[E U,S { } ])/2). erefore, C can use A to solve the CDH problem with a nonnegligible probability. is contradicts with the hardness of the CDH problem. erefore, we can conclude that the proposed protocol is AKA-secure if the CDH problem is hard.

Security Requirements Analysis.
We briefly show the proposed protocol satisfies the security requirements as follows: (i) Single registration: according to the specification of the proposed protocol, a user registers at the registration center once, and he/she can log into registered service providers, which is at a specific level. erefore, the proposed protocol can provide single registration. (ii) Mutual authentication: two lemmas described above show that the adversary against the proposed protocol cannot produce a valid login or response message. en, ID U i and ID S j can authenticate with the participant by checking the legality of the received response message and login message, respectively. erefore, the proposed protocol can support mutual authentication.
(iii) User anonymity: according to the proposed protocol, the user's identity ID U i is only in the message F � (D‖ID U i ‖e‖ID S j ) ⊕ H 2 (g r 1 ). To get ID U i , adversary needs to compute g r 1 from C � r 1 · (H 1 (ID S j ) · P + P pub ), and it turns out the adversary need to solve the k-mBIDH problem. en, we know that the proposed protocol can provide user anonymity as long as k-mBIDH problem is hard. (iv) Untraceability: according to the proposed protocol, user generates a new random number r 1 ∈ Z * q to compute C � r 1 · (H 1 (ID S j ) · P + P pub ), g r 1 , F � (a i ‖D‖ID U i ‖e‖ID S j ) ⊕ H 2 (g r 1 ). Due to the randomness of r 1 , adversary cannot find any relation of messages sent by the user and cannot trace the user's behavior. erefore, the proposed protocol can provide untraceability.
(v) Session key agreement: according to the proposed protocol, both two participants calculate session key sk � H 2 (g r 1 r 2 ), which can be used in future communications. erefore, the proposed protocol can provide session key agreement.
(vi) Perfect forward secrecy: assume the adversary steals both private keys of the user and the service provider. We also assume that the adversary intercepts C, E, F, G, g 2 sent between the user and the service provider. Using the service provider's private key, the adversary can compute g 1 � e(C, d S j ) � g r 1 .
To get session key sk � H 2 (g r 1 r 2 ), the adversary must to compute g r 2 1 � g r 1 2 � g r 1 r 2 where g 1 � g r 1 , g 2 � g r 2 .
us, adversary must solve the CDH problem. en, the proposed protocol can provide the perfect forward secrecy, since the CDH problem is hard.
(vii) No smart card lose attack [20]: assume the adversary steals the user's device. By using the side-Security and Communication Networks channel attack, the adversary can extract the data e adversary can guess password pw, but he/she cannot verify its correctness because we have implemented the fuzzy-verifier technique [27,28]. e adversary cannot get the user's password, so he cannot get the user's private key d U i . erefore, adversaries cannot impersonate the user to the service provider, and the proposed protocol can resist smart card lose attack. only satisfied by the proposed protocol. e hierarchical information KR i is embedded in the user's private keyd U i � (1/(s + H 1 (ID U i ‖e‖KR i ))) · P, when authentication is with a service provider, service provider will check the user's authentication right by computing whether the equation e(E, H 1 (ID U i ‖e‖KR i )· P + P pub )� ? g 1 · g D holds.
(xi) e resistance of various attacks: the proposed protocol can resist the insider attack, the replay attack, the man-in-the-middle attack, etc. We briefly describe it as follows: (1) Temporary information attack: if the adversary gets the temporary information r 1 , r 2 , he/she has no ability to derive the user's secret key from (r 1 + D) · d U i because the exponential of g is composed of two values: one is session temporary secret r 1 and other is the private key of the user d U i . erefore, the proposed protocol is secure against temporary information attack. (2) Insider attack: suppose an insider in the system gets the user's information ID U i , H 3 (pw‖σ i ). e adversary can guess a password pw. However, he/she cannot verify its correctness because user's password is protected by the secure hash function and the biometric key σ i . us, the insider cannot get user's password, and the proposed protocol withstands the insider attack.
(3) User impersonation attack [38,39]: according to the proof of Lemma 1, we conclude that no adversary can forge a legal login message without the user's private key. us, the service provider can find out about the attack by verifying the validity of the received login message. erefore, the proposed protocol can resist the user impersonation attack.
(4) Server spoofing attack: according to the proof of Lemma 2, we know that no adversary can generate a legal response message without the service provider's private key. erefore, users can find out about the attack by verifying the validity of the received response message. erefore, the proposed protocol can resist the server spoofing attack. (5) Modification attack: according to the proof of Lemma 1, we know that C, E, F is a digital signature of the login message and no polynomial-time adversary can forge a legal one. e service provider can find any modification by checking if the equation g 1 � g r 1 � e(C, d S j ) and e(E, H 1 (ID U i ‖e‖KR i ) · P + P pub ) � ? g 1 · g D holds. Besides G is the message authentication code of the response message C, E, F { } under the key g 1 � e(C, d S j ). e user can find out about any modification of the response message because the hash function H 4 (·) is secure. erefore, the proposed protocol can resist the modification attack. (6) Replay attack: according to the proposed protocol, both two participants generate new random number r 1 , r 2 ∈ Z * q and g 1 � g r 1 , g 2 � g r 2 , which are involved in the login message and the response message. Due to the freshness of g 1 , g 2 , the user and the service provider can find the replay of messages by checking the validity of the received message. erefore, the proposed protocol resists the replay attack. (7) Man-in-the-middle attack: based on the above description, we conclude that the proposed protocol provides mutual authentication between two participants. erefore, the proposed protocol can resist the man-in-the-middle attack.

Security Comparison.
In this part, we compare the security of the proposed protocol with other multiserver architecture protocols in Table6. We introduce a new independent criterion, which is based on a widely adopted standard [40,41]

Performance Comparison
We show the computation and communication costs of the proposed protocol. We compare its performance with other protocol. For the purpose of getting a trusted security level (1024-bit RSA algorithm), an Ate pairing: e: G 1 × G 1 ⟶ G 2 is used. G 1 with order q is generated by a point on a supersingular elliptic curve E(F p ): y 2 � x 3 + 1 which is defined on the finite field F p . Order q is a 160bit prime number and p is a 512-bit prime number.

Computation Cost Comparison.
We give the running time of various operations performed in the proposed protocol, and we compare the results with He et al. [15] and Odelu et al. [14]. In this section, we use the following notations for the following running times in this paper:  Table 7.
We compare the computation costs of the proposed protocol with He et al. [15] and Odelu et al. [14] based on the running time of the user and the service providerand the result is shown in Table 6.

Communication Cost Comparison.
According to the description of the trusted security level, q is a 160-bit prime number and p is a 512-bit prime number. e size of an element in G 1 , G 2 is 1024 bits. e size of the hash function's output is 160 bits, and the identity and the expire parameter are both 32 bits. In our protocol, we only have two rounds of communication for establishing a session key. On client side, the messages C, E, F require 320 + 320+256 � 896 bits, and on service provider side, messages G, g 2 require 160 + 512 � 672 bits. e total communication costs are 1568 bits. In He et al.'s [15] protocol, on client side, messages R U i , C U i require 1024 + 32+1024 + 160 � 2240 bits, and on server side, messages y, α S j require 1024 + 160 � 1184 bits. In Odelu et al.'s [14] protocol, on client side, messages M 1 , M 3 require 320 + 512 � 832 bits, and on server side, message M 2 require 672 bits. e comparison of communication costs is shown in Table 6.

Storage Cost Analysis.
Because the mobile devices are limited to storage spaces, we therefore analyze the storage cost on the user side to show the proposed protocol has reasonable storage cost. In Odelu et al.'s protocol, a user needs to store E i,Lt i , e i , θ i , t, e, Lt i , P, P pub , g, q in his/her device, which costs 1674 bits. In He et al.'s protocol, user needs to store R u i , y, a s j , g U i , ψ U i , v U i , b U i , which costs 3230 bits. In our protocol, user needs to store A, B, θ i , a i , e, P, P pub , g, q , which costs 1834 bits.

Conclusion
In this paper, we have proposed a hierarchical authentication protocol for the multiserver environment. e significant contribution of this paper is that we have built an authentication right tree based on the Merkle hash tree, which can be used to verify the authentication right of a user when he/she is authenticating with the service provider. e extended hierarchical authentication feature has added more flexibility and security to multiserver architecture. e security proof has demonstrated that our protocol is provably secure under the random oracle model. Our protocol has reasonable computation and communication costs, which could be suitable for multiserver architecture.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this article.