Provable user authentication scheme on ECC in multi-server environment

Abstract

Authentic communication is an inevitable trend in the fourth industrial revolution. In a city, the convenient administrative formalities should be quick, accurate and secure. There are many different public authorities with different functionalities, and a citizen needs to register with all agencies and keeps the various information corresponding to each service. Clearly, single and central registration is necessary because it stops us from repeatedly providing personal data to many places. In this work, we propose a provable elliptic curve cryptography-based authentication scheme in multi-server architecture, where a person registers with a trusted center once and becomes authorized to access all related service-providers which can leave and join at will without any influence on current users and different providers. Our proposed scheme is suitable for many practical applications, such as smart-city or internet of things.

Appendices

Appendix A: Proofs of BAN-logic lemmas

Next, we present the full proofs of remaining lemmas

1.1 A.1 Lemma 2

If S believes that U believes its uid is shared successfully and U controls completely this uid’s sharing, S believes U’s uid is shared successfully .

$$\begin{aligned} \frac{\textit{S}|\equiv (\textit{U}|\equiv (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{uid}}}{} \textit{S})), \textit{S}|\equiv (\textit{U}\Rightarrow (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{uid}}}{} \textit{S}))}{\textit{S}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{uid}}}{} \textit{S}} \end{aligned}$$

Proof

Applying jurisdiction rule with lemma 1 and A\(_{4}\) to have

$$\begin{aligned} \frac{\textit{S}|\equiv \textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{uid}}}{} \textit{S}, \textit{S}|\equiv \textit{U}\Rightarrow \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{uid}}}{} \textit{S}}{\textit{S}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{uid}}}{} \textit{S}}. \end{aligned}$$

So, we complete the lemma 2. \(\square\)

1.2 A.2 Lemma 3

If U believes k is shared with S and its messages encrypted with k are fresh, U believes that S believes its uid is shared successfully:

$$\begin{aligned} \frac{\textit{U}|\equiv (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{S}), \textit{U}|\equiv \#(\textit{r}_{S}\times \textit{k})}{\textit{U}|\equiv (\textit{S}|\equiv (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{uid}}}{} \textit{S}))} \end{aligned}$$

Proof

Applying jurisdiction rule with A\(_{2}\) and M\(_{S}\) to have \(\frac{\textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{S}, \textit{U}\triangleleft \textit{M}_{S}}{\textit{U}|\equiv \textit{S}|\sim \textit{M}_{S}}\). Then, applying freshness rule with A\(_{7}\) to have \(\frac{\textit{U}|\equiv \#(\textit{r}_{S}\times \textit{k}), \textit{U}|\equiv \textit{S}|\sim \textit{M}_{S}}{\textit{U}|\equiv \#\textit{M}_{S}}\). So, combining these results with nonce-verification rule to have \(\frac{\textit{U}|\equiv \textit{S}|\sim \textit{M}_{S}, \textit{U}|\equiv \#\textit{M}_{S}}{\textit{U}|\equiv \textit{S}|\equiv \textit{M}_{S}}\). Finally, applying believe rule to have \(\frac{\textit{U}|\equiv \textit{S}|\equiv \textit{M}_{S}}{\textit{U}|\equiv \textit{S}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{uid}}}{} \textit{S}}\). So, we prove how proposed scheme satisfies lemma 3. So, we can claim both S and U believe and share their identities successfully. Next are the similar things for session-key. \(\square\)

1.3 A.3 Lemma 4

If U believes that s\(_{j_X}\) is shared with S and its messages encrypted with k are fresh, U believes that S believes session-key sk is shared successfully .

$$\begin{aligned} \frac{\textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{S}, \textit{U}|\equiv \#(\textit{r}_{S}\times \textit{k})}{\textit{U}|\equiv \textit{S}|\equiv (\textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U})} \end{aligned}$$

Proof

Applying message-meaning rule with A\(_{2}\) and M\(_{US}\) to have \(\frac{\textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{S}, \textit{U}\triangleleft \textit{M}_{US}}{\textit{U}|\equiv \textit{S}|\sim \textit{M}_{US}}\). Applying freshness rule with A\(_{7}\) and M\(_{US}\) to have \(\frac{\textit{U}|\equiv \#(\textit{r}_{S}\times \textit{k}), \textit{U}\triangleleft \textit{M}_{US}}{\textit{U}|\equiv \#\textit{M}_{US}}\). Next, we use believe rule to have \(\frac{\textit{U}|\equiv \textit{S}|\sim \textit{M}_{US}, \textit{U}|\equiv \#\textit{M}_{US}}{\textit{U}|\equiv \textit{S}|\equiv \textit{M}_{US}}\). Secondly, we apply believe rule to have \(\frac{\textit{U}|\equiv \textit{S}|\equiv \textit{M}_{US}}{\textit{U}|\equiv \textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U}}\). So, we complete the lemma 4. \(\square\)

1.4 A.4 Lemma 5

If U believes that S controls sk’s sharing and S believes sk is shared with U, then U believes sk’s sharing.

$$\begin{aligned} \frac{\textit{U}|\equiv (\textit{S}\Rightarrow (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S})), \textit{U}|\equiv (\textit{S}|\equiv (\textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U}))}{\textit{U}|\equiv (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S})} \end{aligned}$$

Proof

Applying jurisdiction rule with A\(_{3}\) and lemma 4 to have \(\frac{\textit{U}|\equiv \textit{S}\Rightarrow \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}, \textit{U}|\equiv \textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U}}{\textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}}\). So, we complete the lemma 5. \(\square\)

1.5 A.5 Lemma 6

If S believes that k is shared with U and that its messages encrypted with k are fresh, S believes that U believes sk’s sharing: \(\frac{\textit{S}|\equiv (\textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{U}, \textit{S}|\equiv \#(\textit{r}_{U}\times \textit{k}))}{\textit{S}|\equiv (\textit{U}|\equiv (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}))}\)

Proof

Applying message-meaning rule with A\(_{6}\) and M\(_{US}\) to have \(\frac{\textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{U}, \textit{S}_{j}\triangleleft \textit{M}_{US}}{\textit{S}_{j}|\equiv \textit{U}_{X}|\sim \textit{M}_{US}}\). Next, applying freshness rule with A\(_{8}\) and M\(_{US}\) to have \(\frac{\textit{S}|\equiv \#(\textit{r}_{U}\times \textit{k}), \textit{S}\triangleleft \textit{M}_{US}}{\textit{S}|\equiv \#\textit{M}_{US}}\). With these two results and nonce-verification rule, we have \(\frac{\textit{S}|\equiv \textit{U}|\sim \textit{M}_{US}, \textit{S}|\equiv \#\textit{M}_{US}}{\textit{S}|\equiv \textit{U}|\equiv \textit{M}_{US}}\). Finally, we use A\(_{6}\) and believe rule to have \(\frac{\textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{U}, \textit{S}|\equiv \textit{U}|\equiv \textit{M}_{US}}{\textit{S}|\equiv \textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}}\). So, we complete the lemma 6 \(\square\)

1.6 A.6 Lemma 7

If S believes U controls sk’s sharing, S believes sk is shared with U successfully: \(\frac{\textit{S}|\equiv (\textit{U}\Rightarrow (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}))}{\textit{S}|\equiv (\textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U})}\)

Proof

with A\(_{5}\) and S\(|\) \(\equiv\)U\(|\) \(\equiv\)M\(_{US}\), applying message-meaning rule to have \(\frac{\textit{S}|\equiv \textit{U}\Rightarrow \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}, \textit{S}|\equiv \textit{U}|\equiv \textit{M}_{US}}{\textit{S}|\equiv \textit{M}_{US}}\). Finally, applying believe rule to have \(\frac{\textit{S}|\equiv \textit{M}_{US}}{\textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U}}\). So, we completely prove lemma 7. Eventually, we claim both S and U believe sk. \(\square\)

Appendix B: The security’s definition

Here, we present the security’s definition and some security properties: both S\(_{j}\) and U\(_{X}\) follow our scheme.

• When S\(_{j}\) and U\(_{X}\) successfully compute session-key and receive expected messages, we call they are accepted

• S\(_{j}\) and U\(_{X}\) are partnered if and only if:

  1. 1

     both of them are accepted

  2. 2

     pid\(_{U_X}\) = S\(_{j}\) and pid\(_{S_j}\) = U\(_{X}\)

  3. 3

     sid\(_{S_j, U_X}\) = sid\(_{U_X, S_j}\)

• S\(_{j}\) and U\(_{X}\) are fresh if satisfying three conditions:

  1. 1

     they are partnered

  2. 2

     no secret information of U\(_{X}\) and S\(_{j}\) is leaked before they are accepted

  3. 3

     no session-key is leaked before they are accepted

Next, we present some queries which A, a probabilistic polynomial-time adversary attacking our scheme, denoted by P in AKE-security sense, can launch:

• Execution query: with this query, A can extract all messages exchanged between two partners. We let q\(_{E}\) be the number of execute queries and sid\(_{S_j, U_X}\) \(\leftarrow\) Execute(U\(_{X}\), S\(_{j}\)) be the notation representing the output of this query.

• Send query: with this query, A can interact with U\(_{X}\)/S\(_{j}\). We let q\(_{S}\) be the number of send queries and m-out \(\leftarrow\) Send(O\(^{i}\), m-in) be the notation of output and input of this query, where O\(^{i}\) \(\in\) {U\(_{X}\), S\(_{j}\)}, m-in is the input-message and m-out is the output-message.

• Reveal query: with this query, A can know sk of U\(_{X}\) and S\(_{j}\). Also, we let q\(_{R}\) be the number of reveal queries and sk\(^{i}\) \(\leftarrow\) Reveal(O\(^{i}\)) be the notation of output this query, where O\(^{i}\) is fresh and \(\in\) {U\(_{X}^{i}\), S\(_{j}^{i}\)}.

• Corrupt query: with this query, A can know secret information, such as long-term key or master-key, of U\(_{X}\) and S\(_{j}\). We let q\(_{C}\) be the number of corrupt queries and {UID\(_{X}\), B\(_{X}\)} \(\leftarrow\) Corrupt(U\(_{X}\), 1) and {smart-card} \(\leftarrow\) Corrupt(U\(_{X}\), 0) be the notation of the output this query. We see that A only knows smart-card or {UID\(_{X}\), B\(_{X}\)}. As for S\(_{j}\), A can know {r\(_{j}\), ASID\(_{j}\)}

• Hash query: with this query, A can query a value m and receive random value r. If m is a new message, O\(_{Hash}\) returns random number r. Otherwise, it returns the previously generated r. We let q\(_{H}\) be the sum of number of hash queries and r \(\leftarrow\) Hash(O\(_{Hash}\), m) be the notation of output this query. Note that this description is just a general guide for all kinds of hash functions in our scheme.

Theorem 1

Within a time t\(_{A}\), if A cannot predict correct session-key of another fresh O\(^{i}\), proposed scheme P will be AKE-security. Let Adv\(_{P}^{AKE}\)(A, t\(_{A}\)) be the A’s advantage of breaking P in AKE-security within appropriate t\(_{A}\), and A uses at most q\(_{H}\), q\(_{S}\), q\(_{E}\), q\(_{R}\) and q\(_{C}\) queries, where q\(_{H}\) > q\(_{S}\) = q\(_{E}\) = q\(_{R}\) = q\(_{C}\). We need Adv\(_{P}^{AKE}\)(A, t\(_{A}\)) is negligible: Adv\(_{P}^{AKE}\)(A, t\(_{A}\)) \(\le\) \(\epsilon\) (\(*\))