Secure Three-Factor Anonymous User Authentication Scheme for Cloud Computing Environment

Cloud computing provides virtualized information technology (IT) resources to ensure the workflow desired by user at any time and location; it allows users to borrow computing resources such as software, storage, and servers, as per their needs without the requirements of complicated network and server configurations. With the generalization of small embedded sensor devices and the commercialization of the Internet of Things (IoT), shortand long-range wireless network technologies are being developed rapidly, and the demand for deployment of cloud computing for IoT is increasing significantly. Cloud computing, together with IoT technology, can be used to collect and analyse large amounts of data generated from sensor devices, and easily manage heterogeneous IoT devices such as software updates, network flow control, and user management. In cloud computing, attacks on users and servers can be a serious threat to user privacy. Thus, various user authentication schemes have been proposed to prevent different types of attacks. In this paper, we discuss the security and functional weakness of the related user authentication schemes used in cloud computing and propose a new elliptic curve cryptography(ECC-) based three-factor authentication scheme to overcome the security shortcomings of existing authentication schemes. To confirm the security of the proposed scheme, we conducted both formal and informal analyses. Finally, we compared the performance of the proposed scheme with those of related schemes to verify that the proposed scheme can be deployed in the real world.


Introduction
With the significant advances in information technology (IT), numerous types of devices can connect to the Internet and have a variety of features that can be used for different purposes. Using these devices with wireless network technologies, such as Wi-Fi, Bluetooth, 5G, 6lowPAN, and LoRa, has allowed the practical deployment of Internet of Things (IoT) [1]. IoT enables the networking of various types of embedded devices, such as home, mobile, and wearable devices, allowing them to communicate with people and objects at any time and location in our daily lives [2].
With combined with cloud computing, IoT technologies can collect and analyse large amounts of data from devices connected to an IoT network with hyperconnectivity and hyperintelligence surpassing the limits of time and space in various areas such as urban life, traffic, welfare, safety, healthcare, manufacturing, energy, finance, and logistics [3,4].
Cloud computing provides IT resources on demand over the Internet. Cloud computing providers are building and maintaining physical data centers and servers, and users can enjoy the benefits of custom cloud services for greater computing power, storage, and database.
With such advantages, cloud computing is becoming a paradigm for the processing, storage, and utilization of large amounts of data generated by billions of smart devices because it can overcome the limitations of such devices, including low capacity and limited processing capability. The integration of IoT with cloud computing allows for better scalability, interoperability, reliability, efficiency, availability, and security through the utilization of various devices and technologies [5]. In addition, it provides benefits such as easy access, use, and deployment-cost reductions. A cloud computing environment can serve as a stable network environment for connection with IoT devices and provide storage for big data generated from IoT devices to securely keep and process the data for analysis. With these advantages, both individuals and small companies can benefit from cloud services.
In general, there are three types of cloud services [6]: (1) Infrastructure as a service (IaaS): providing the user with an infrastructure including storage and network use (2) Platform as a service (PaaS): providing the user with a platform to develop various applications (3) Software as a service (SaaS): providing the user with software applications Because cloud computing is deployed in a practical manner, there have been growing concerns regarding its security. As mentioned earlier, clouds are used in various industries and services; thus, cloud servers can collect and process sensitive data, and it can seriously affect user privacy.
Security issues associated with cloud computing include various aspects such as embedded security, application security, trust and conviction, client management, cloud data storage, and operating systems. Among the different security requirements, the first security requirement for the protection of user privacy is user authentication that verifies a user's identity with a trusted party. There are three authentication factors used to verify the user identity: (i) what you know (e.g., secret information such as a password), (ii) what you have (e.g., things we own such as smart cards), and (iii) who you are (e.g., biometric such as fingerprint or iris data) [7].
In recent years, various user authentication schemes have been proposed [8][9][10][11][12], and user authentication studies using various cryptographic primitives have been proposed to protect a user's personal information in a cloud environment. However, the investigation into such studies has revealed that the level of security is still insufficient to authenticate and manage users in the current cloud computing environment. Therefore, in this paper, to strengthen the security of previously proposed schemes, we first report problems in the related authentication scheme used in a cloud computing environment and then propose a new authentication scheme to overcome these problems.
1.1. Motivations. Since Lamport [13] first proposed a password-based authentication scheme, many relevant studies on suitable two-factor authentication schemes in various network environments have been proposed to protect user privacy. After the introduction of cloud computing systems, authentication schemes using various encryption technologies, including the Advanced Encryption Standard (AES), hash function, Chebyshev polynomials, and Elliptic Curve Cryptography (ECC), began to be studied to provide secure user authentication and improve security and efficiency.
Amin et al. [14] proposed a user authentication scheme for a distributed IoT cloud environment. However, Wang et al. [15] found that Amin et al.'s scheme has some weaknesses-it is vulnerable to a stolen smart card attack, violates user anonymity and forward secrecy, has a time synchronization problem, and provides an insecure identity update phase. Wang et al. [15] also proposed a new authentication scheme to eliminate the security concern associated with Amin et al.'s scheme [14] by applying ECC to share the session key between the user and the cloud server. Nevertheless, their scheme does not provide a session key verification at the end of the authentication phase-an invalid session key may be generated between the user and the cloud server without detecting communication errors that may occur while sharing the parameters for the establishment of a session key.
In 2017, Kumari et al. [16] proposed a biometrics-based three-factor authentication scheme in a multicloud server environment using ECC and proved that the scheme is secure for cloud computing environments, but it does not provide an identity update phase.
In 2019, Zhou et al. [17] proposed a lightweight authentication scheme for an IoT-cloud architecture using only hash and exclusive-OR (XOR) operations; it is relatively lightweight in comparison with other schemes [14,18] and satisfies some of the security properties required for cloud computing. However, Martínez-Peláez et al. [19] reported that Wang et al.'s scheme [15] has security vulnerabilities to insider attacks, man-in-the-middle attacks through a replay attack, and user impersonation attacks. Martínez-Peláez et al. [19] then proposed a new lightweight authentication scheme to provide secure access to user by improving the scheme developed by Zhou et al. [17]. However, Yu et al. [20] found that Martínez-Peláez et al.'s scheme [19] is vulnerable to impersonation attacks, session key-disclosure attacks, and replay attacks and that it does not ensure user anonymity. Yu et al. [20] then proposed a lightweight three-factor-based authentication scheme for IoT use in a cloud computing environment to enhance the level of security. In their scheme, the cloud server changes the identity of the user during each session. However, users cannot recover or update their own identity themselves.
In this paper, based on the same network model used in the abovementioned related schemes for cloud computing, we propose a new three-factor user authentication scheme to enhance the level of security and efficiently manage users by eliminating the security and functional flaws of the related schemes. In the proposed scheme, we selected the ECC from various cryptographic building blocks, which has various advantages. For example, the safety of the ECC system increases exponentially with the key length and has a shorter key length and faster operation speed than those of the RSA algorithm. This is particularly effective in applications where the processing capacity is limited; these include memory, smart cards, and wireless communication terminals [21]. ECC has been standardized for digital signature algorithms and key exchanges (e.g., ANSI X9.62 and X9.63) and is widely accepted in various network communication standards such as IPsec (RFC 2409) and TLS (RFC 4492).

1.2.
Organization of the Paper. The remainder of this paper is organized as follows. Section 2 presents the preliminaries for security considerations and background of the network model. In Section 3, we detail a secure three-factor anonymous user authentication scheme for a cloud computing environment. We describe the informal and formal security analyses in Sections 4 and 5, respectively. In Section 6, we 2 Wireless Communications and Mobile Computing evaluate the performance of the proposed scheme. Finally, we provide some concluding remarks in Section 7.

Preliminary
2.1. Network Model. The network model of the proposed protocol in the IoT environment is based on the cloud server environment adopted in the protocol described in [16][17][18][19][20], as shown in Figure 1. There are three participants in this model: (1) Registration authority (RA): RA is a trusted authority that creates all system parameters and issues them to users and cloud servers through the registration process (2) User (U i ): U i wishes to access and enjoy the services provided by the cloud server using IoT device. For this purpose, the RA shares the session key with the cloud server (3) Cloud server (CS j ): CS j provides IoT cloud services to users This network model is for a cloud server-centric service in which the cloud server collects and processes information from IoT devices and shares it with users. For example, a real-world scenario for this is as follows: Alex's grandfather has dementia, and his family is concerned about his grandfather's health and fear of getting lost when he goes out. The smartwatch worn by the grandfather can check the health condition through the built-in sensor and transmits the GPS information to the cloud server. Alex's family wants to use a service that can trace and check the location and health of their grandfather in real time. To this end, Alex's family and grandfather (U i ) first register their identifier with the registration authority (RA) to sign up for this IoT-based cloud service. RA issues security parameters to be used when establishing session key with CS j (assume that CS j is already registered). Information about the grandfather is sensitive. It should be shared only with the family. To this end, Alex cre-ates a group through the interface provided by the cloud platform, adds family members as group members, and adds the devices of grandpa's smartwatch and family's smartphone to set permission to access information shared by registered devices. U i and CS j generate the session key through the authentication process; the family and grandfather can safely share information.

Elliptic Curve Cryptography.
In this study, we apply an elliptic curve cryptography to the proposed scheme, which provides a high level of security with a small key size [22]. ECC is based on the logarithm problems expressed in the point addition and multiplication of elliptic curves.
An elliptic curve is given by E p ða, bÞ: y 2 = x 3 + ax + b mod p over a finite field F p , where p is the prime order and a, b ∈ F p such that p > 3 and 4a 3 + 27b 2 ≠ 0 mod p. The point multiplication over E p ða, bÞ is defined through a repetitive addition as +P + ⋯ + Pða timesÞ = aP, where P is a point on E p ða, bÞ and a ∈ F * p is a random integer. The security of ECC relies on the following assumption: (1) Elliptic curve discrete logarithm problem (ECDLP): given P, aP ∈ E p ða, bÞ, it is computationally infeasible to find a within polynomial time (2) Elliptic curve computational Diffie-Hellman problem (ECCDHP): given aP, bP ∈ E p ða, bÞ, it is computationally infeasible to find abP in polynomial time 2.3. Bio-Hash Function. In the proposed scheme, we use a bio-hash function. In 2004, Jin et al. [23] proposed a solution to the problem of false resection in which a genuine user is misidentified for various reasons, such as when experiencing dry or cracked skin. The bio-hash maps the biometric features to a binary string with a user-specific tokenized pseudo-random number. In three-factor authentication, many researchers use a bio-hash to identify the biometric features of the users [24][25][26]. It is a simple and efficient tool for resource-constrained devices such as IoT sensor devices. For a security analysis in this paper, we consider the adversarial model as follows [27][28][29]: (1) The attacker can control the public communication channel by interrupting, returning, amending, eliminating, or transmitting newly forged messages (2) The attacker can extract the security parameters in the smart device using a side-channel attack (3) The attacker can guess the user's identity and password by enumerating all possible items in polynomial time. The time of such an attack conducted to determine the correct identity and password is linear to the dictionary size

Proposed Scheme
In this section, we propose an improved three-factor authentication scheme in the cloud environment. Our scheme consists of (1) a registration phase, (2) a login and authentication phase, (3) a password change phase, and (4) an identity update phase. All notations used in this paper are listed in Table 1.
3.1. User Registration Phase. In this phase, U i registers with RA and shares secret parameters for later login and authentication using IoT smart device. The registration phase of U i shown in Figure 2 is as follows.
(1) U i who wants to register in RA enters ID i , PW i , and BIO i , and computes PWB i = hðPW i kBIO i Þ and UID i = hðID i kPWB i Þ (2) U i sends a registration request <ID i , PWB i , UID i , > through a secure channel (3) After receiving the registration request message from U i , RA first searches for UID i in User List to check whether the user's ID i is already registered. If UID i does not exist in User List, RA selects a random number r and computes D i = hðUID i kxkrÞ,  Figure 3 is as follows.
(1) CS j selects CID j and sends it to RA (2) RA computes Ckey j = hðCID j kxÞ and sends it to CS j 3.3. Login and Authentication Phase. To access a cloud server CS j , U i begins a login and authentication protocol on the public channel through the support of RA. In this phase, RA confirms the legitimacy of U i and CS j ; thus, they establish a session key for future communication. To this end, the following steps, shown in Figure 4, are executed.
If C * i and C i are not equal, U i terminates the login phase; otherwise, it chooses a random number a, and computes X 1 = aPub, CS i computes V * cs = hðY 1 kY 2 kCkey j kK j kX 2 Þ and checks whether V * cs and V cs are equal. If they are equal, CS i computes Y 3 = bX 2 , H j = U cs ⊕ HðY 1 kY 2 k Ckey j Þ, SK ji = hðY 2 kX 2 kY 3 kH j Þ, and SV j = hðSK ji k If SV i and SV j are equal, U i and CS i have successfully shared the session key with each other; otherwise, the login authentication step has failed 3.4. Password Change Phase. In this phase, U i can change to a new password offline. The password change phase shown in Figure 5 is as follows: 3.5. Identity Update Phase. When users want to change their identity or phone number, they need to update their identity.
In the proposed scheme, U i can perform an identity update process through RA by entering the old identity ID i and new identity ID new i , shown in Figure 6, as follows: i and C i are equal, U i chooses a random number a, and computes X 1 = aPub, X 2 = aP, UID new If G * i and G i are not equal, RA rejects the request and sets Honey List = Honey List + 1. Once it exceeds the present value, U i is suspended

Security Comparison with the Related Scheme
This section provides a security comparison with other relevant schemes [15,16,19,30]. For detailed procedures of the compared schemes, see Appendices A, B, C, and D.
(1) Wang et al. [15]: Wang et al. scheme does not provide the verification process of session key. In their scheme, after CS j sends <Y 2 , Q cs > and U i check the legitimacy of Q cs , U i generates a session key SK i = hðY 2 kX 2 kX 3 Þ. Here, after U i considers that the session key has been shared with CS j , the authentication process is terminated. However, U i does not check whether the SK i is same as SK j generated by CS j . If the session key is created incorrectly due to some error, the session key establishment process has to be executed again (2) Kumari et al. [16] and Wang et al. [30]: their scheme consists of registration, login, authentication, and password change steps. However, it does not provide Select a random number r Registration authority (RA) Registration authority (RA) Cloud server (CS j ) 5 Wireless Communications and Mobile Computing an identity update process for the user. This process is necessary when the mobile phone number of U i changes or the identity has to be changed for security reasons (3) Martínez-Peláez et al. [19]: in their scheme, the adversary can extractor the secret parameters <PID i , C 2 , C 3 , C 4 , hðn U Þ > from the smart card of the user and intercept D 1 from message M 1 . Then, the adversary can compute real identity ID i = C 2 ⊕ D 1 . From now on, by creating T u and n U , an attacker can construct a malicious message M 1 that can easily impersonate a user. After that, the message generated by the attacker is delivered to the cloud server and the RA and processed. Eventually, the attacker will share the session key with the cloud server. In the aftermath of this attack, the attacker can acquire T new U , T new S , T new CS , n new U , n new S , and n new CS . Therefore, their scheme cannot resist user impersonation attacks and replay attacks, and violates mutual authentication and user anonymity. In addition, their scheme does not support the three-factor authentication and the identity update for user In Table 2, we summarize the results of an informal analysis wherein the proposed scheme is compared with other relevant schemes. In the next section, we prove that our scheme satisfies all the security properties mentioned in Table 2.

Informal Analysis of the Proposed Scheme
In this section, we describe an informal analysis of the proposed scheme and show that it satisfies the desired security features and is secure against known attacks. In Table 2, we summarize the results of an informal analysis wherein the proposed scheme is compared with other relevant schemes.
Choose a random number a Registration authority (RA) Cloud server (CS j ) User (U i )  In the user authentication phase of our scheme, the user's ID i is protected in UID i and is preserved by the user's secret value X 1 . The attacker must know two values, X 1 and HðBIO i Þ, to know the user's ID i from messages sent over a public channel. The value X 1 = aPub = axP is under the ECCDH problem, and the BIO i is unique to each individual. Therefore, it is extremely difficult for an attacker to determine these two values, and thus, the proposed scheme guarantees user anonymity.
User (U i ) Registration authority (RA) Generate n i Choose a random number a   In message M 1 , G i , F i , and X 2 contain a random number a, and in message M 4 , Y 2 and SV j include random numbers a and b. Because both random numbers are changed during each session, and it is difficult to solve the ECCDH problem, the connection between the messages in each session cannot be determined, and the user activity cannot be tracked. Thus, the proposed scheme ensures user untraceability.

Resistance to Stolen-Device Attack.
According to the attacker model, the attacker may extract the secret parameters <C i , E i , P, Pub > by applying a side-channel attack if the attacker acquires a user's IoT smart device. In this attack, an attacker attempts to guess ID i and PW i using the two values, C i and E i , to impersonate a user or obtain the user's personal information. The attacker needs to know the HðBIO i Þ value to obtain the user's ID i and PW i . However, the user's biometric information is unique to each individual. Therefore, the proposed scheme resists a stolendevice attack.

Mutual Authentication and Session Key Agreement.
In the proposed scheme, U i and CS j establish a session key through mutual authentication based on the support of RA. First, RA authenticates U i by validating G i included in M 1 . The value of D i included in G i contains the server's private keys x and r stored in the user list maintained by RA. In addition, U i must calculate D i correctly at the login stage to verify its legitimacy to RA. Moreover, CS j verifies its identity to the RA by validating the value of K j contained in message M 2 . To do so, CS j must include a valid Ckey j that contains the secret key x of RA in K j .
If CS j and U i are authenticated, the RA calculates X 1 and Y 1 (both can be calculated by a valid RA) and includes these two values in U CS and V CS , respectively. After receiving message M 3 , CS j calculates V * CS and compares it with the received V CS to check the validity of the RA. Then, CS j multiplies X 2 by its random nonce b to generate a value of Y 3 , calculates the session key SK ji and SV j for the verification of session key, and sends SV j to U i .
After receiving message M 4 , U i multiplies Y 2 by its random nonce a to compute X 3 , and calculates session key SK ij and verification value SV i for the session key.
Because the validity of Y 2 received from CS j is confirmed through the soundness of SV j by adding UID * i into SK ji , even if Y 3 is generated by multiplying any random nonce of the malicious attacker by X 2 , the validation process for SV j generated by a malicious CS j is not passed. Therefore, the proposed scheme supports mutual authentication between U i , CS j , and RA and provides a secure session key establishment between U i and CS j .

Verification of Session Key.
In the proposed scheme, CS j calculates SV j including the session key calculated by itself and transmits it to U i . Then, U i also calculates the session key SV i calculated by itself and compares whether it is the same as SV j . Therefore, the proposed scheme can prevent session key disagreement that may occur due to communication errors. 5.6. Resistance to User-Impersonation Attack. For an attacker to conduct a user impersonation attack, the attacker must either maliciously control the session key establishment process or extract secret parameters from the user's IoT smart device. However, as mentioned earlier, the proposed scheme guarantees mutual authentication and protection from stolen-device attacks. Therefore, the proposed scheme provides a safe protection technique using biometrics and under the ECCDH problem against user impersonation attacks.

Resistance to Replay Attack.
To establish a malicious session by pretending to be a participant in the communication, an attacker must know the random number a or b to create a session key by eavesdropping on the messages sent and received over the public channel and then reuse them. However, with the proposed scheme, the random numbers included in the session key are protected from the ECCDH problem. Even if an attacker attempts to connect a malicious session by replaying the message, communication in the next step cannot be continued without knowing the secret parameter or random nonce. Therefore, the proposed scheme resists a replay attack.

Local User Verification.
In the login and authentication phase of the proposed scheme, the user first enters ID i , PW i , and BIO i to calculate C * i and then checks whether C * i is equal to C i stored in the IoT smart device. Only U i who have passed this local user verification procedure can perform the next mutual authentication phase. Because U i cannot log in without inputs of the user's legitimate personal information, the proposed scheme can block unauthorized access in the local area.

Resistance to Privileged-Insider Attack.
In the registration phase of the proposed scheme, the user sends ID i , UID i , and PWB i to the RA. To perform the privileged-insider attack, here, the insider of the RA needs BIO i to guess PW i of U i . However, the user's BIO i is protected by PW i , and thus, the malicious insider cannot impersonate U i to communicate with CS j . In addition, the proposed scheme can change PWB i locally in U i 's IoT smart device without an intervention of RA. Therefore, the proposed scheme is safe from an insider attack.

Forward Secrecy.
With the proposed scheme, the session key is not transmitted directly. Instead, the user and CS j agree on the session key by calculating the secret parameters constituting the session key. Here, the session key shared between them includes a different random nonce for each session. Therefore, it is difficult for an attacker to attempt to guess the session key by collecting the session key verification value SV j . Therefore, the proposed scheme guarantees forward secrecy. 6. Formal Analysis of the Proposed Scheme 6.1. ProVerif. To prove the security of the proposed scheme, we adapted ProVerif [31], which is an automated tool used to analyse cryptographic protocols. ProVerif supports an analysis of protocols based on various cryptographic primitives such as symmetric and asymmetric cryptography, digital signatures, and hash functions. ProVerif is widely used by many researchers [32][33][34][35] to validate a security analysis of the key agreement and authentication schemes for various network environments. In this section, we introduce the ProVerif code and present the analysis results to verify the proposed scheme's security.
We present the process of predefined identifiers and the definitions of the proposed scheme in Figure 7. Here, we define the public and secure channels used among U i , CS j ,     query id:bitstring; inj-event(endlotNode(id)) ⩵> inj-event(beginlotNode(id)).
We define the overall CS j process code for the proposed scheme, as shown in Figure 9. We model the registration phase in lines 60-64 and the login and authentication phase in lines 65-82. Figure 10 shows the overall RA process code for the proposed scheme. We model the registration phase in lines 84-94 and the login and authentication phase in lines 95-113.
The code shown in Figure 11 is intended to model the attacker's capabilities and verify the equivalencies of interprocess communication. The code in lines 115 and 116 checks whether the session keys SK ij and SK ji are secure against the attacker. The code in lines 117-119 verifies whether the internodal relationships of the proposed scheme are accurate during the procedure.
The execution of all codes described earlier verifies the effectiveness and availability of the simulated events and queries and generates the results of the simulation, as presented in Figure 12. This indicates that U i , CS j , and RA in the proposed scheme achieve a successful mutual authentication and securely establish the session key. Furthermore, it can be considered that the proposed scheme is secure against simulated attacks. [36] is used to prove the trust of each party in the authentication protocol on the formal logic. We utilize this logic to prove that U i and CS j share a valid and fresh session key through mutual authentication. We define the notations of BAN logic as follows:

BAN Logic. Burrows-Abadi-Needham (BAN) logic
(1) U⊲C : U sees condition C We define five rules of BAN logic to prove the mutual authentication of the proposed scheme.
(1) Rule 1: message-meaning rule U | ≡U ↔ K S, U⊲ðCÞ K /Uj≡Sj~C : if U trusts that key K is shared with S, U sees C combined with K and trusts S once said C (2) Rule 2: nonce-verification rule U | ≡#ðCÞ, Uj≡Sj~C/ Uj≡Sj ≡ C : if U trusts that freshness of C and trusts S once said C, then U trusts that S trusts C if U trusts that S has jurisdiction over C, and U trusts that S trusts a condition C, then U also trusts C We must satisfy the following four goals: (1) Goal 1:
We describe the main proof of the proposed scheme using the BAN logic rules, messages, and assumptions as follows: (1) From M 1 , we obtain V 1 : CS j ⊲ðCID j , UID i , PÞ a (2) From A 5 and rule 1, we obtain V 2 : From goals 1, 2, 3, and 4 that we achieved earlier, we see that U i and C j establish a session key through a secure mutual authentication.

Performance Analysis
In this section, we compare the computational and communication costs for the proposed scheme with those of other related schemes for cloud computing environments. We considered the computational cost and number of 12 Wireless Communications and Mobile Computing communications occurring during the login and authentication process. As described by Kocarev and Lian [37], we consider the execution time of cryptographic operations as follows: (1) 160-bit elliptic multiplication operation: T e ≈ 63:08 ms  Table 3. The results reveal that Martínez-Peláez et al.'s scheme [19] is significantly faster in terms of computational time than the other schemes. However, as described in Section 1.2, Yu et al. [20] revealed that Martínez-Peláez et al.'s scheme [19] is vulnerable to various attacks. Wang et al.'s scheme [30] applies a Chebyshev chaotic map as cryptography primitive to strengthen the security of the session key. However, their scheme does not provide the identity update phase. The securities of schemes proposed by Kumari et al. [16] and Wang et al. [15] are based on the ECC for which the communication participants agree on the session key. However, Wang et al.'s scheme [15] does not provide the session key verification procedure to check its validation, and Kumari et al. [16] do not design the identity update phase in their scheme. Meanwhile, our scheme has slightly higher computational costs than those of Kumari et al.'s [16] and Wang et al.'s scheme [30], although the proposed scheme satisfies all security requirements, as mentioned in Section 5.
According to the results of previous analysis [28,38], we assume that the lengths of the identity, random number, and timestamp are 128, 64, and 32 bits, respectively, for a comparison of the communication costs. The hash function produces 160 bits; the block size of the symmetric encryption is 128 bits; the size of the Chebyshev polynomial is 128 bits; the size of the point multiplication on the elliptic curve is 160 bits.  [30] are 2080, 2304, 3200, and 1696 bits, respectively. Table 3 shows that the scheme proposed by Wang et al. [30] requires the lowest communication cost, whereas the proposed scheme has the secondlowest communication cost. However, as shown in Table 2, Wang et al.'s scheme [30] does not support the identity update phase. Therefore, the proposed scheme is a more practical option in a cloud computing environment.

Conclusion
In this study, we conducted an informal analysis to demonstrate the security of the proposed scheme against various known attacks. In addition, using ProVerif and BAN logic, we applied a formal analysis to prove that the user and cloud server establish a session key through secure mutual authentication. Moreover, we conducted an analysis of the proposed scheme in terms of the security features and performance; we compared it with those of existing related schemes and proved that our proposed scheme ensures better safety and efficiency in user management and that it is suitable for use in a practical cloud computing environment. Registration authority (RA)   [15].   [15].
Registration authority (RA) User (U i )

18
Wireless Communications and Mobile Computing

Data Availability
The data used to support the findings of this study are included within the article.

Conflicts of Interest
The authors declare that there is no conflict of interest regarding the publication of this paper.