Provably Secure ECC-Based Three-Factor Authentication Scheme for Mobile Cloud Computing with Offline Registration Centre

Mobile cloud computing (MCC) aims at solving the resource constrain problem of smart mobile devices. It has deeply affected the way modern humans live and work. In MCC, the authentication scheme is indispensable to prevent illegal attacks and privacy breaches. In this paper, we reveal that a recently proposed two-factor authentication scheme for MCC has limitations like stolen-verifier attack and denial of service attack. In addition, its single-server architecture is not applicable to MCC. To enhance the security, we present a provably secure three-factor authentication scheme using the elliptic curve cryptosystem (ECC). It has the merit that the user only needs to register once to access multiple servers with a pair of public and private key, and the registration center is offline in the authentication phase. Security analysis demonstrates that our scheme is immune to known attacks and provides user friendliness. Finally, performance comparisons indicate that our scheme has better security attributes and low computing and communication overheads, and it is more applicable to MCC.


Introduction
With the popularity of smart mobile devices, mobile Internet is becoming more and more important in our daily life and deeply affects the way modern humans live and work [1]. Mobile Internet provides high-quality telecommunication services such as voice, fax, data, image, and multimedia. We can obtain a variety of services anytime and anywhere through mobile Internet. Various mobile Internet applications include mobile payment, mobile e-commerce, and mobile entertainment are emerged. Some of these applications such as WeChat and Alipay bring tremendous convenience to people. With the continuous development of mobile Internet, the deficiency that smart mobile devices have limited storage capacity and processing power is gradually revealed. To resolve this issue, cloud computing [2] is introduced into mobile Internet; therefore, a new technology namely mobile cloud computing (MCC) [3] is produced. It aims at solving the resource constrain problem of smart mobile devices, and it can effectively increase the computing power and storage capacity of smart mobile devices.
In an MCC setting, as a trusted third party, the registration center is responsible for issuing the secret key to users and cloud servers in the registration phase. In the authentication phase, the users access the resources and services deployed in distributed cloud servers via mobile and wireless networks, as shown in Figure 1. Due to the openness of the communication networks, the attacker can implement various attacks such as modification, forgery, and replay. It is indispensable to develop an authentication scheme for MCC to achieve identity authentication and secure data transmission, as well as the protection of user privacy.
1.1. Related Works. Since Lamport [4] presented the first password authentication scheme, a large number of schemes [5][6][7][8][9][10][11][12][13][14][15][16][17][18] that are applicable to different scenarios, adopt differ-ent cryptosystems, and employ different kinds of authentication factors were presented. In 2001, Li et al. [17] presented the first multiserver authentication scheme, in which the user can register once and then access multiple servers with a pair of identity and password. Some authentication schemes for MCC [19][20][21][22] have been presented in recent years. In 2015, Tsai and Lo [3] introduced an authentication scheme for MCC with offline registration center using bilinear pairing. In 2017, Feng et al. [23] introduced a three-factor mobile multiserver authentication scheme using the elliptic curve cryptosystem (ECC). Amin et al. [24] introduced a lightweight two-factor authentication scheme for MCC. However, their scheme is found to have weaknesses such as offline guessing attack [25]. In 2018, He et al. [26] pointed out that Tsai et al.'s scheme suffers from server impersonation attack. They furthermore proposed an improved scheme by using identity-based signature. Their scheme can provide better security features. In 2019, Irshad et al. [27] presented an enhanced authentication scheme for MCC using bilinear pairing. In 2019, Mo et al. [28] put forward a provably secure two-factor authentication scheme using ECC. In 2020, Li et al. [29] put forward a lattice-based password authenticated key exchange protocol, and their scheme achieves quantum resistance.

Motivation and Contributions.
To improve the security and optimize the efficiency, we design a provably secure authentication scheme using ECC in this paper. Without public key cryptographic techniques, it is difficult to achieve user anonymity and forward secrecy [12]. By using ECC, the proposed scheme provides mutual authentication and user anonymity and establishes secure session key. Compared with the existing schemes with offline registration center using bilinear pairing [3,[26][27][28], our ECC-based scheme is more efficient. Our major contributions are as follows.
(1) We prove that Mo et al.'s scheme [28] [28] in this section. To initialize the system, the cloud server CS selects the master key s and calculates the public key PUB = sP.
3.1.1. User Registration Phase. This phase is executed as follows.   The user U i selects his identity ID i , password PW i , and a nonce r i and computes R i = H 1 ðr i ∥PW i Þ.

Authentication
Phase. This phase is comprised of the following steps.
If it holds, the smart card chooses a nonce r 1 and computes C i = r 1 P, D i = r 1 PUB, If it does not hold, the protocol aborts. Otherwise, CS retrieves ðID i , N i , T i , SC i Þ from the database based on ID i and computes F * are equal, CS chooses a nonce r 2 and computes M 1 = r 2 P, M 2 = r 2 C i , the session key If it holds, the smart card chooses a nonce r 1 and 3.1.3. Smartcard Revocation Phase. The smart card can be revoked through the following steps.
(Step1) U i performs step 1 of the authentication phase.
If they are equal, CS deletes ðID i , N i , T i , SC i Þ from the database Performs step 1 of the authentication phase. U i sends a revocation request fPID i , C i , L i , revoke requestg to CS After that, the smart card cannot be used to login CS. The user reregisters with CS to get a new smart card.

Weaknesses of
Step2) The attacker chooses a nonce r 1 and computes As L * i = L i and F * i = F i , CS regards the attacker as the legitimate user U i . The essential reason for this attack is that the secret authentication value F i is merely based on the information stored in verification table, rather than the secret key of CS.

RC
The registration center U i The user CS j The cloud server (Step1) The adversary intercepts fPID i , C i , L i g from the public channel After that, the legitimate user U i is unable to access CS unless reregistration. The essential reason for this attack is that CS does not check the freshness of fPID i , C i , L i , revoke_request g. The attacker can forge a revocation request using the intercepted fPID i , C i , L i g.

Known Session-Specific Temporary Information Attack.
Once the attacker compromises the nonce r 1 , he can reveal the session key through the following steps.
(Step1) The attacker intercepts f PID i , C i , L i g and fM 1 , M 3 g from the public channel (Step2) The attacker obtains the user identity by shoulder peeping or computing D i = r 1 PUB, Step3) The attacker can obtain ID s by compromising user's smart card or colluding with a user (Step4) The attacker computes

Not Applicable to Mobile Cloud
Computing. Mo et al.'s scheme adopts single server architecture. Only a single server is used to handle the access requests of users. However, in the MCC environment, a large number of users access the cloud server to obtain a variety of services using mobile devices. It is impracticable for a single server to deal with all the access requests in time. MCC aims at integrating the resources and computing power of multiple distributed servers. As depicted in Figure 1, the MCC architecture usually involves multiple distributed servers. In Mo et al.'s scheme, its single-server architecture is not applicable to MCC.

The Proposed Scheme
In this section, we put forward an ECC-based three-factor authentication scheme for MCC. It includes three kinds of participants, i.e., the registration center RC, the cloud server CS j , and the user U i . As a trusted third party, RC is responsible for issuing the secret key to users and cloud servers in the registration phase. In the authentication phase, RC is offline. U i and CS j implement mutual authentication and negotiate a session key without the registration center involved.

User Registration
Phase. This phase is depicted as Figure 2.
(Step1) The user U i chooses his identity ID i and password PW i , imprints his biometric b i , and computes  Figure 3.
(Step1) The cloud server CS j delivers his identity fSID j g to RC via the reliable channel (Step2) Upon getting {SID j }, RC computes CS j 's private key k j = H 1 ðSID j ∥sÞ and public key PUB j = k j P. RC publishes the parameters {SID j , PUB j }. RC issues {k j } to CS j in a credible manner 4.4. Authentication Phase. This phase is depicted as Figure 4.
If they are equal, the smart card chooses two random numbers r 1 and r 2 and CS j chooses a random number r 3 and computes If they are equal, ask the user to input his new password and imprint his new biometric

Security Analysis
In this section, we prove the security of the proposed scheme by using the following security analysis methods.

BAN Logic Proof.
In this section, we show that the proposed scheme preserves mutual authentication and session key agreement by using BAN logic proof. We present the notations and rules of BAN logic [32] in Table 2.
The proposed scheme should be able to achieve the following goals.  The proposed scheme is idealized as below. M1: The initial assumptions of the proposed scheme are as below.
The proof is as follows.
From M1, we have (1) CS j ⊲fD i , r 2 Pg B i Apply Rule 1 to (1) and A1, we have Apply Rule 1 to (3) and A2, we have (4) CS j j ≡ U i j ∼ ðID i , r 1 P, r 2 PÞ Apply Rule 2 to (4) and A3, we have (5) CS j j ≡ U i j ≡ ðID i , r 2 PÞ Apply Rule 3 to (5) and A4, we have (6) CS j j ≡ r 2 P From M2, we have Apply Rule 1 to (7) and A5, we have  Figure 4: Authentication phase of the proposed scheme.

Security Model
(1) Participants. The proposed scheme involves three kinds of participants, i.e., the registration center RC, the cloud server CS j , and the user U i . RC a , CS a j , and U a i are the a -th instances of RC, CS j , and U i , respectively.
(2) Queries. The adversary capability is simulated through the following queries.
Execute (CS a j /U a i ). It simulates the passive attack. It returns back the transcript of messages to the adversary.
Send (CS a j /U a i , m). It simulates the active attack. The adversary masquerades as the instance CS a j /U a i by sending a message m. The oracle processes m and returns a response to the adversary.
Reveal (CS a j /U a i ). It returns back CS a j /U a i 's session key to the adversary.
Corrupt (U a i , z). It returns back one or two kinds of user authentication factors to the adversary.
If z = 1, it returns back the password. If z = 2, it returns back the data of smart card. If z = 3, it returns back the biometric. Corrupt (RC a /CS a j ). It simulates forward secrecy. The oracle returns back the master key of RC a or the private key of CS a j to the adversary. Test (CS a j /U a i ). It simulates the semantic security of the session key, If the instance CS a j /U a i is accepted by its partner and establishes a session key SK, and the adversary never makes Corrupt (RC a /CS a j ) or Reveal (CS a j /U a i ) query, we say the instance CS a j /U a i is fresh. If CS a j /U a i is fresh, the oracle tosses a coin b. If b = 1, it answers SK. Otherwise, it chooses an equal-length string and sends it to the adversary. The adversary is allowed to make this query no more than once.
(3) Semantic Security. After receiving the answer from Test (CS a j /U a i ) query, the adversary tries to reveal the value of b. We define the advantage that adversary breaks the semantic security of the proposed scheme as If Adv ake P ðAÞ is negligible, the proposed scheme achieves semantic security.

Security Analysis
Theorem 1. As demonstrated in [34], the password distribution follows Zipf's law. jD PW j denotes the password dictionary space. C′ and s′ are parameters of the Zipf distribution. Adv ECDHP P denotes the advantage that the adversary A solves ECDHP. The adversary A can make at most q e Execute queries, q s Send queries, q h Hash queries, and q b Biohashing queries in polynomial time t. We have where l 1 is the length of the hash value, and l 2 is the length of the biohashing value, in terms of the Tianya password dictionary [35] of size jD PW j ≈ 13 million, C′ = 0:062239, s′ = 0:155478.
Proof. The security of the proposed scheme is demonstrated through a series of games Φ i (0 ≤ i ≤ 6), and Pr ½χ i denotes the advantage that A guesses b in Φ i .   . If an item (τ, γ) is found, it sends back γ to the adversary. Otherwise, it returns a random number γ to the adversary and adds a new item (τ, γ) to Λ H . The biohashing oracle is simulated in the same way. There is no difference between Φ 1 and Φ 0 . Hence, This game is terminated when some collisions occur.
(1) A collision appears in random numbers. The probability is no more than ðq s + q e Þ 2 /2p (2) A collision appears in hash values or biohashing values. The probability is no more than q 2 Hence, Φ 3 : we abort the game when A has guessed (D i , L i , M i ). Its advantage is no more than q s /2 l 1 . Hence, Φ 4 : we abort the game when A has guessed user's secret key d i . Its advantage is no more than q s /2 l 1 . Hence, Φ 5 : we abort the game when A has computed d i having the aid of Corrupt (U a i , z) query.
(1) If A has obtained user's password and biometric, he is able to reveal the key parameter W i with probability q s /2 l 1 (2) If A has obtained user's password and the data of smart card, he is able to reveal the biometric with probability q s /2 l 2 (3) If A has obtained user's biometric and the data of smart card, he is able to reveal the password with probability C ′ * q s s ′

Hence,
Pr χ 5 ½ − Pr χ 4 ½ j j ≤ q s /2 l 2 + C′ * q s s′ + q s /2 l 1 : ð8Þ If A has asked Hash query H 1 ðr 3 N i ∥D i Þ, when picking an item from Λ H , we can get a solution of ECDHP with probability 1/q h . Hence, From (3)-(11), we have 5.3. Further Security Analysis. This section demonstrates that the proposed scheme is immune to known attacks and provides various desirable security properties.

Mutual Authentication.
In our scheme, the cloud server authenticates the user by checking if D i P = A i + C i •PUB i . D i is a signature calculated based on user private key d i . Only the user U i who has the private key d i can calculate a valid D i . In addition, the user validates the cloud server by checking if L * i = L i . Actually, the user authenticates the cloud server based on B i = r 1 PUB j = k j A i . In the login request, D i is encrypted under the key B i . Except the user U i , only the cloud server CS j who has the secret key k j can compute B i and retrieve D i from E i and generate a valid authenticate value L i .

Session Key Agreement.
The user and the cloud server generate a session key SK = H 1 ðr 3 r 2 P∥D i Þ. The session key is composed of r 3 r 2 P and D i . r 3 r 2 P is generated using elliptic curve Diffie-Hellman key exchange, and it guarantees forward secrecy. D i is generated based on user's private key, and it guarantees the resistance of session-specific temporary information attack.

User Anonymity.
In our scheme, the user identity is encrypted under the key B i . As ECDHP is intractable, only the user who knows the random number r 1 and the cloud server who has the secret key k j can retrieve ID i from E i . Additionally, the random numbers r 1 and r 2 are involved in the login request {A i , E i }. The login requests are different in each session. Thus, the proposed scheme preserves user untraceability.

Offline RC.
In the authentication phase, the user and the cloud server can perform mutual authentication and 8 Wireless Communications and Mobile Computing session key agreement without the aid of RC. It reduces the number of interacted messages. Correspondingly, it helps to reduce communication and computing overheads.

Forward Secrecy.
The session key is computed based on SK = H 1 ðr 3 r 2 P∥D i ∥r 3 PUB i Þ. r 3 r 2 P is generated using Diffie-Hellman key exchange. Due to the intractability of ECDHP, even the attacker obtains the long-term secret, he is unable to retrieve r 3 r 2 P from F i and N i . The proposed scheme preserves forward secrecy.

Resist Session-Specific Temporary Information Attack.
Suppose that the random numbers r 2 is compromised. The adversary computes r 3 F i . However, as B i is unavailable, the adversary cannot obtain D i . Suppose that the random number r 3 is compromised. The adversary cannot obtain N i and D i , as B i is unavailable. The adversary can neither obtain D i or r 3 N i .
As a result, the adversary cannot reveal the session key when the random number is compromised. 5.3.7. Resist Forgery Attack. In our scheme, the user computes the signature D i based on the private key d i to authenticate the message fA i , E i , N i g. Afterwards, the cloud server uses the shared session key SK to authenticate the message fF i , L i g. Finally, the user uses the shared session key SK to authenticate the message fM i g. As the secret key d i and SK are unavailable, the adversary cannot produce a valid message.

Resist Replay Attack.
In the proposed scheme, the cloud server authenticates the user by checking the validity of the messages fA i , E i , N i g and fM i g. If the adversary replays fA i , E i , N i g, as he cannot produce a valid fM i g, ultimately, the authentication fails. If the adversary replays fF i , L i g and fM i g, as the random numbers selected in each session are different, the authentication fails. Hence, the proposed scheme can resist replay attack. 5.3.9. Resist Insider Attack. The user cannot impersonate the cloud server without cloud server's private key. Similarly, the cloud server cannot impersonate the user without user's private key. The other users cannot pretend to be the user U i , as he cannot generate a valid signature of U i . The other cloud servers cannot pretend to be the cloud server CS j , as he cannot decrypt E i to get D i . Our scheme is resistance to insider attack.

User Friendliness.
The proposed scheme provides user friendliness. Firstly, the proposed scheme adopts multiserver architecture. The user only needs to register once to access multiple servers. Secondly, in the authentication phase, the registration center is offline, and the user can access the cloud server directly without interacting with the registration center. Thirdly, the proposed scheme supports smartcard revocation, efficiency for wrong password and biometric detection, and password and biometric update. 5.3.11. Three-Factor Secrecy. The fuzzy verification Z i makes our scheme that is immune to offline guessing attack. Even if the adversary compromises two kinds of authentication factors, the other one is still unavailable. In addition, for the adversary, the only way to retrieve d i is to break the password, the biometric, and the smart card at the same time. Without d i , the adversary cannot impersonate the user. Hence, the proposed scheme preserves three-factor secrecy.

Performance Comparisons
The comparative analysis of our scheme and the relevant schemes [3,[26][27][28] is presented in this section. Our scheme and the relevant schemes are evaluated from two aspects, i.e., security properties and computation and communication overheads. Table 3 presents the security analysis results of relevant schemes. The security attributes include user anonymity and three-factor secrecy, as well as the resistance of usual attacks. Besides, the characteristics of the proposed schemes and relevant schemes are also detailed in Table 3. The relevent schemes [3, 26 ,27] Table 3, we witness that the relevant schemes have more or less weaknesses, while the proposed scheme can remedy the security defects of relevant schemes and provides desirable security properties. It shows that the proposed scheme has better security than the relevant schemes.
In accordance with [26], the user uses a mobile device to access the cloud server, the cloud server is deployed in a personal computer, and the executing time of relevant cryptography operations is presented in Table 4. The computation costs of our scheme and the relevant schemes are evaluated as shown in To evaluate the communication cost, we suppose that the user identity is 32 bits, the point on the elliptic curve group is 1024 bits, and the hash value is 160 bits. The login request query in [3,26,27] is 32 bits. As shown in Table 6, the communication cost of the proposed scheme is 3584 bits. The communication costs of the relevant schemes [3,[26][27][28] are 4320 bits, 3296 bits, 4288 bits, and 2720 bits, respectively. Figure 5 presents the comparison of total computation costs, the computation costs of user end, and the computation costs of cloud server. Figure 6 presents the communication cost comparison. In terms of the communication cost,    our scheme is in third place and better than the average communication cost. In terms of the total computation cost, user's computation cost, and server's computation cost, the proposed scheme is second only to Mo et al.'s scheme. However, Mo et al.'s scheme has limitations like stolen-verifier attack and denial of service attack; particularly, its singleserver architecture is not applicable to the mobile cloud computing environment. In a nutshell, our scheme provides more security attributes and has low computation and communication costs. Among the relevant schemes, the security features of He et al.'s scheme are the closest to our scheme. However, the computation cost of our scheme is 0.72 times of He et al.'s scheme. Our scheme achieves balanced security and efficiency. Compared with the relevant schemes, our scheme is more applicable to mobile cloud computing.

Conclusion
In this paper, we demonstrate that Mo et al.'s scheme has limitations such as stolen-verifier attack and denial of service attack. Most notably, its single-server architecture is not applicable to MCC. To enhance the security, we present a provably secure ECC-based three-factor authentication scheme. Security analysis shows that our scheme is immune to known attacks and provides user friendliness. Performance comparisons indicate that our scheme provides more security attributes and incus low computation and communication cost. Our scheme is more applicable to MCC. As postquantum security has become the focus issue of researchers, we plan to use lattice-based key exchange [36] and smooth projective hash functions [37] to construct a quantumresistant scheme at the next step.

Data Availability
The data used to support the findings of this study are included within the article.

Conflicts of Interest
The authors declare no conflict of interest.