IEEE SYSTEMS JOURNAL, VOL. 9, NO.

3, SEPTEMBER 2015
IEEE Transaction on Cloud Computing @ 2016

805

A Privacy-Aware
Authentication
for
Privacy
Authentication
Scheme forScheme
Distributed
Distributed Mobile Cloud
Cloud Computing Services
Jia-Lun Tsai and Nai-Wei Lo

AbstractIn modern societies, the number of mobile users has

dramatically risen in recent years. In this paper, an efficient
authentication scheme for distributed mobile cloud computing
services is proposed. The proposed scheme provides security and
convenience for mobile users to access multiple mobile cloud
computing services from multiple service providers using only a
single private key. The security strength of the proposed scheme is
based on bilinear pairing cryptosystem and dynamic nonce generation. In addition, the scheme supports mutual authentication, key
exchange, user anonymity, and user untraceability. From system
implementation point of view, verification tables are not required
for the trusted smart card generator (SCG) service and cloud
computing service providers when adopting the proposed scheme.
In consequence, this scheme reduces the usage of memory spaces
on these corresponding service providers. In one mobile user authentication session, only the targeted cloud service provider needs
to interact with the service requestor (user). The trusted SCG
serves as the secure key distributor for distributed cloud service
providers and mobile clients. In the proposed scheme, the trusted
SCG service is not involved in individual user authentication process. With this design, our scheme reduces authentication processing time required by communication and computation between
cloud service providers and traditional trusted third party service.
Formal security proof and performance analyses are conducted to
show that the scheme is both secure and efficient.
Index TermsAuthentication scheme, bilinear pairing, mobile
cloud computing services, user anonymity, user untraceability.

I. I NTRODUCTION

HE development of mobile cloud computing [1][4] has

become an important research field in mobile-oriented
world, providing new supplements, consumption, and delivery
models for IT services. As reported by ABI Research, more
than 240 million business customers will be leveraging cloud
computing services through mobile devices by 2015, driving
revenues of $5.2 billion [5]. In mobile cloud computing, mobile users can access computation results, resources, applications, and services that are stored, implemented, and deployed
in cloud computing environments by using mobile devices
through an insecure wireless local area network (WLAN) or
3G/4G telecommunication networks. When a user intends to
access a mobile cloud computing service, he/she activates the

Manuscript received April 24, 2013; revised January 15, 2014; accepted
April 2, 2014. Date of publication May 21, 2015; date of current version
June 18, 2015. This work was supported in part by the Taiwan Information
Security Center and in part by the National Science Council of Taiwan under
Grants MOST 102-2218-E-011-013 and MOST 103-2221-E-011-091-MY2.
The authors are with the Department of Information Management, National
Taiwan University of Science and Technology, Taipei 106, Taiwan (e-mail:
crousekimo@yahoo.com.tw; nwlo@cs.ntust.edu.tw).
Digital Object Identifier 10.1109/JSYST.2014.2322973

service through a Web browser or a cloud service application

(i.e., App) installed on his/her mobile device. The Web browser
or the cloud service application will then mutually authenticate
both the cloud service provider and the user. After authentication, the user can access the resources and available services
from the cloud service provider. In order to prevent illegal
access, cloud providers should support a secure authentication
scheme for users using mobile devices [6][9]. However, there
are three concerns to be resolved along with the authentication scheme [3], [10][13]. First of all, computing efficiency
of the scheme should be seriously considered, since mobile
devices have only relatively limited computing capability in
comparison with laptop computers. Second, sufficient security
strength should be supported; since all messages are transmitted
via an insecure WLAN or telecommunication networks, an
adversary can easily obtain, interrupt, or modify transmitting
messages before they reach the desired recipient. In addition,
privacy protection on user accounts is a rising issue as identity
masquerade and identity tracing have become common attacks
in wireless mobile environments.
As mobile users generally access different types of mobile
cloud computing services from a variety of service providers, it
is extremely tedious for users to register different user accounts
on each service provider and maintain corresponding private
keys or passwords for authentication usage. In other words, key
management issue for users has emerged for distributed mobile
cloud environment. In consequence, mobile users will likely
be interested in how to access various services from distinct
mobile cloud service providers by using only one single private
key or password.
Traditional single sign-on (SSO) schemes [14][22] such as
Passport and OpenID are one possible solution for key management issue. In such systems, users can access multiple mobile
cloud computing services using only one secret key or password. However, most of SSO systems require a trusted third
party to participate in each user authentication session. OpenID
is an example of a decentralized SSO mechanism, which has
been widely adopted by many Internet service providers such as
Yahoo and Google, with over 50 000 websites currently using
OpenID as their authentication scheme. OpenID involves three
roles: users, relying partners (RP) or service providers (SP), and
identity providers (IdP). In OpenID, an IdP can be also an SP
and vice versa. Each SP has to share secrets with the IdP in
advance to establish partnership and identification. A user must
register with an IdP in advance to obtain an OpenID identifier.
When this user logs in to websites that have adopted OpenID,
he/she first sends his/her OpenID identifier to the SP via a secure channel such as Secure Sockets Layer (SSL). The SP then

1932-8184 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

806

IEEE SYSTEMS JOURNAL, VOL. 9, NO. 3, SEPTEMBER 2015

Fig. 2. Process of desirable authentication scheme for distributed cloud

computing environment.
Fig. 1. User authentication process using OpenID.

verifies the users OpenID identifier by redirecting the request

to IdP for user validity confirmation. Once the IdP confirms
the legal status of the logging in user, the IdP redirects user
session back to the targeted SP with a credential. The targeted
SP will verify the received credential from IdP; if the credential
is valid, then the SP authenticates the user. Fig. 1 illustrates user
authentication process using OpenID. However, an SP cannot
provide its services to users if the IdP is too busy to handle
incoming requests or malfunctioned. The IdP could become
the bottleneck for traditional SSO systems. In addition, traditional SSO schemes usually have to associate with some secure
message transmission protocol to protect message integrity and
confidentiality [22]. For example, the OpenID specifications
strongly recommend the use of SSL network connection for
all message transmissions. Since SSL technique is based on
traditional public key cryptosystem such as RSA, SSL implementation requires heavy computation cost on a mobile device
when cloud service requests from mobile users are considered.
Therefore, it is unsuitable for mobile users to adopt current SSO
solutions in distributed mobile cloud environments.
A desirable user authentication scheme for mobile users
in distributed cloud services environment should preserve the
following benefits.
1) The authentication scheme is based on some efficient
cryptosystems to support mutual authentication and user
anonymity without using SSL.
2) A trusted third party is required for user registration and
service provider registration, but it is not required to
participate in each user authentication session later.
3) A user can access mobile services from multiple service
providers with only one private key.
4) The authentication scheme does not require heavy computation operations on users mobile devices.

Fig. 2 illustrates the process of desirable authentication

scheme for distributed cloud computing environment.
A. Related Works
Authentication scheme is a basic security mechanism for all
network-based services to prevent illegal access from unauthorized users or adversaries. Traditional authentication schemes
are usually based on traditional public key cryptosystem. Traditional public key cryptosystems such as RSA require lengthy
key size and consume computation resources heavily. Hence,
most of traditional authentication schemes are unsuitable for
mobile devices, which have limited computing resources. Elliptic curve cryptosystem (ECC), which was first introduced by
Koblitz [23] and Miller [24], offers the smallest key size per
equivalent strength of any traditional public key cryptosystem,
including RSA and Discrete Logarithm Problem (DLP). For
example, a 256-bit ECC public key has the same security
level as a 3072-bit RSA public key [25]. Such computational
efficiency is beneficial for mobile devices.
Recently, bilinear pairing in an elliptic curve has been used
in developing an ID-based cryptosystem [26][28]. Since then,
several ID-based cryptosystems have been proposed. An IDbased cryptosystem is one kind of public key cryptosystems
that can solve the high cost issue of public key management
and authentication derived from traditional public key cryptosystems. In an ID-based cryptosystem, the identity of a user
is used as the public key of this user; a user therefore does not
spend extra computational cost to verify public keys of others,
and no extra storage space in the users device is required to
store public keys of others and their corresponding certificates.
Several studies have applied ID-based cryptosystems in cloud
and grid computing environments. Lim and Robshaw [29], [30]
first applied an ID-based cryptosystem to grid security in 2004,
whereas in the same year, Mao [31] proposed an identity-based

TSAI AND LO: AUTHENTICATION SCHEME FOR DISTRIBUTED MOBILE CLOUD COMPUTING SERVICES

807

noninteractive authentication framework for grids. In 2009,

Li et al. [32] developed a new ID-based authentication for cloud
computing environment. However, the authentication protocol
of Lin et al. does not provide user anonymity and untraceability
[33], [34].
Since most authentication schemes based on ECC or bilinear
pairing [35][41] are designed for clientserver environment,
they are not suitable to be directly adopted into distributed services environment in which multiple service providers compete
with each other and offer various kinds of services. The most
important issue is that a user needs to manage multiple private
keys learned from each service provider. To resolve user key
management issue, the simplest way is that all service providers
share the same master private key. However, if an adversary
attacks one of the service providers successfully, he/she can
learn this master private key and masquerade as any one of the
service providers to cheat users. In addition, a malicious adversary, who has obtained the master private key from a service
provider, can learn session keys established between another
service provider and a user if the applied authentication scheme
does not support perfect forward secrecy. After learning the
session key, the malicious attacker can get sensitive information
transmitted between another service provider and a user. Hence,
this simple approach is also unsuitable for distributed mobile
cloud environments.
B. Contributions
An anonymous user authentication scheme based on bilinear
pairing for distributed mobile cloud computing services is
proposed in this paper. The proposed scheme supports mutual
authentication, key exchange, and initiator (user) untraceability.
The proposed scheme is carefully designed to exclude the
necessity for the trusted third party to be involved in regular
user authentication session such that the total user authentication processing time can be reduced. The proposed scheme is
built upon bilinear pairing and random nonce; consequently,
this scheme requires less computing resources on both the
mobile users devices and server providers. Through an IDbased cryptosystem, a user is required only one private key
to access multiple services from distinct mobile cloud service
providers, provided that the user knows all the identities of
the service providers and vice versa. Formal security proof
under random oracle model is conducted to show the security
robustness of our scheme.
II. P ROTOCOL F RAMEWORK
This paper assumes that the distributed mobile cloud service
environment is supported by a trusted smart card generator
(SCG) service. Three roles take part in the proposed scheme:
mobile users, distinct mobile cloud service providers, and a
trusted SCG service. Notice that the trusted third party used
in the proposed scheme is named as the smart card generator
(SCG) service rather than the IdP service, since our trusted
third party issues one smart card to every registered user
securely during user registration phase. We assume that there
are many mobile users and service providers within distributed
mobile cloud services environment, and a small portion of

Fig. 3. Framework of our authentication scheme.

these mobile users and service providers are malicious. Mobile

users, service providers, and the trusted SCG are denoted by
V = {Ui | i = 1, . . . , n}, W = {SPj |j = 1, . . . , m}, and SCG.
Fig. 3 illustrates the proposed system architecture. A user can
anonymously access multiple mobile cloud computing services
from different service providers without the involvement of
the SCG during user authentication phase. The SCG is only
responsible for generating public parameters, as well as all
private keys for service providers and users.
The proposed scheme includes three phases: system set up,
registration, and authentication. During the system set up phase,
the SCG first selects a random number as its master private
key, computes the corresponding public key, and generates
all public parameters. Then, the SCG publishes its public key
and public parameters. After accomplishing the system set up
phase, the registration phase is executed between the SCG and
each one of the mobile users (or service providers) who wishes
to join and utilize the authentication service. Mobile user and
service providers are required to register with the SCG by
sending their identities. Upon receiving these identities, the
SCG computes and generates corresponding private keys for
these users and service providers before dispatching these keys
back to corresponding users and service providers securely. In
accordance with the design of identity-based cryptosystem, the
identities of mobile users and service providers are also served
as their corresponding public keys. Finally, the authentication
phase is executed between mobile user and service provider

808

IEEE SYSTEMS JOURNAL, VOL. 9, NO. 3, SEPTEMBER 2015

TABLE I
S YMBOL N OTATION

when a user is requesting for a mobile service. During this

phase, a mobile user and the targeted service provider are
able to authenticate each other without the involvement of the
SCG. A session key is also generated during authentication to
encrypt/decrypt subsequent messages sent between the user and
the service provider after authentication. Symbol notation used
in the proposed scheme is shown in Table I.
III. P ROPOSED S CHEME
The following section will describe the proposed authentication scheme for distributed mobile cloud service environment.
The trusted SCG is responsible for generating and distributing
the private keys to the users and service providers securely.
If a service provider SPj or a user Ui joins the system, the
SCG is not required to update its master key or corresponding
public key. When a user obtains his/her private key, he/she can
authenticate and communicate with the other legal entity by
using his/her private key without the help of the SCG. Details
of each phase are as follows.
System setup: Let G1 be a cyclic additive group generated
by P , and let G2 be a cyclic multiplicative group, where p
is the prime order of G1 and G2 . First, SCG chooses s as its
master private key and computes Ppub = sP as its
corresponding public key. Next, SCG computes e(P, P )
before choosing a pairing function e : G1 G1
G2 and five collision-resistant hash functions H1 : Zp Zp ,
H2 : G2 Zp , H3 : Zp Zp , H4 : Zp Zp , and h : Zp G1 .
Finally, SCG publishes {e, H1 , H2 , H3 , H4 , h, P, Ppub , e(P, P ),
Ppub } as public parameters.
Registration: Each user Ui (or service provider SPj ) sends
his/her chosen identity IDi (or IDj ) to SCG for registration.
Upon receiving identity IDi (or IDj ), SCG uses its master key s
and the received identity IDi (or IDj ) to compute user Ui s (or
service provider SPj s) private key
Si =

1
P.
s + H1 (IDi )

(1)

for each user Ui (or service provider SPj ). Next, SCG sends Si
(or Sj ) back to the user Ui (or service provider SPj ) through
a secure channel. If a user Ui obtains his/her privacy key
from SCG, he/she computes Ei = Si h(PWi fi ) and then

stores Ei on his/her mobile device, where PWi and fi are

the password and the fingerprint of the user, respectively. If a
service provider SPj obtains its private key from SCG, it stores
it in secure memory that only the provider can access.
Authentication: When a user Ui wants to log in with the
service provider SPj , the user Ui first types his/her password
PWi and fingerprint fi into the smart card, which then computes
Ei h(PWi fi ) = Si . The user Ui and the service provider
SPj then perform the following steps, as illustrated in Fig. 4.
Step 1) Ui sends a service request to SPj .
Step 2) SPj computes
Z = e(P, P )a

(2)

where a is a random number. Next, SPj sends Z to Ui.

Step 3) Upon receiving Z from SPj , Ui computes


Kij = H2 (Z b )) = H2 e(P, P )ab
(3)
K2 = bPpub + H1 (IDj )bP

(4)

w = bPpub + H1 (IDi )bP

(5)

si =

1
Si
b + H3 (IDi ZIDj wKij )

C1 = Kij (IDi si w)

(6)
(7)

where b is a random number. Ui then sends (K2 , C1 )

to SPj . Note that b can be preselected; and bPpub ,
bP , and bH1 (IDi )P can be precomputed before
authentication; thus, the computation costs of these
values can be ignored.
Step 4) After receiving (K2 , C1 ) from Ui , SPj computes the
session key


Kij = H2 (e(K2 , Sj )a ) = H2 e(P, P )ab .
(8)
SPj then retrieves (IDi , si , w) by computing
(IDi si w) = Kij C1 .

(9)

Next, SPj calculates the values e(si , w + H3 (IDi

ZIDj wKij )Qi ) and e(P, P ) individually and

TSAI AND LO: AUTHENTICATION SCHEME FOR DISTRIBUTED MOBILE CLOUD COMPUTING SERVICES

Fig. 4.

809

Authentication phase of the proposed protocol.

then checks whether these two values are equivalent,

as shown in
e (si , w + H3 (IDi ZIDj wKij ) Qi ) = e(P, P )

(10)

where Qi = (Ppub +H1 (IDi )P ). If the two computed

values e(si , w + H3 (IDi ZIDj wKij )Qi ) and
e(P, P ) are equivalent, the validity of Ui is authenticated. Note that e(P, P ) can be precomputed; thus,
the associated computation cost can be ignored.
Step 5) SPj computes
Di = H4 (Kij ZIDi IDj )

(11)

and then sends it to Ui .

Step 6) When Ui receives Di from SPj , Ui first computes
Di = H4 (Kij ZIDi IDj )

(12)

and then checks whether the values of computed Di

and the received Di are the same. If the values are
equivalent, the validity of SPj is authenticated. Note
that Kij = H2 (e(P, P )ab ) is the session key shared
between user Ui and service provider SPj .
IV. S ECURITY A NALYSIS
This section first introduces our security model and then
demonstrates that the proposed scheme is secure under random
oracle [42], [43].

A. Security Model
Let P i {Ui , SPj } be an instance i of a participant P . Any
instance of each entity is seen as an oracle in this security
model, while it is also assumed that the probabilistic polynomial adversary A potentially controls all communications between the mobile user and the service provider. The capacities
of the adversary are defined as follows. Further details of the
security model can be found in [42] and [43].
1) Extract(IDi ): This query allows the adversary A to
obtain the private key corresponding to identity IDi .
2) Send(M, P i ): This query models that an adversary A
can send any message M to the oracle. Upon receiving
the message M , the oracle returns the computation result
to the adversary A.
3) H i (m): When an adversary A sends a message m to the
hash query, the oracle returns r and then stores (m, r) in
a hash list LHi , where r is a random number, and LHi is
initially empty.
4) Reveal(P i ): This query allows an adversary A to learn
a session key Kij from an oracle if the oracle receives a
Reveal query request from adversary A.
5) Corrupt(P i ): This query allows an adversary A to
corrupt the party P i and obtain the private key of the
corrupted party P i .
6) T est(P i ): This query models the semantic security of
the session key. In this query, when the oracle receives the
test query request from an adversary A, the oracle flips a

810

IEEE SYSTEMS JOURNAL, VOL. 9, NO. 3, SEPTEMBER 2015

coin c. If c = 1, the oracle returns the session key Kij to

the adversary A; otherwise, it sends a random number.

TABLE II
S IMULATION OF H ASH Q UERY

The employed definitions of partnering and freshness are

described as follows.
1) Partnering: A user Ui and a service provider SPj are said
to be partners if the following conditions hold.
1) Ui V and SPj W .
2) Both Ui and SPj share the same session key after
authentication.
3) No other oracle can join the same session instead of
Ui and SPj .
2) Freshness: A session key constructed by an oracle and its
partner is fresh if the following conditions hold.
1) A session key Kij = NULL is constructed by the user
Ui and the service provider SPj if no Reveal query is
invoked by the user Ui and the service provider SPj .
2) Send(Ui , M ) or Send(SPj , M ) are called after the
Corrupt query is called.

TABLE III
S IMULATION OF S END Q UERY

Let Succ(A) be the event indicating the probability for the

adversary A successfully guessing the value of bit b, which is
selected in the Test query. The advantage held by the adversary
A against one specific authentication scheme is defined as
AdvA,P (k) = |2 Pr[Succ(A)] 1|.
B. Security Analysis
Security analysis for the proposed scheme is conducted here
to show that the proposed scheme achieves user-to-serviceprovider authentication, service-provider-to-user authentication, and key agreement under random oracle in Theorems
13, respectively. User anonymity and user untraceability of
the proposed scheme are also evaluated in Theorem 4. In order
to clarify those hard mathematical problems used for security
analysis, definitions of three mathematical problems [27], [28],
[44] are introduced in Definitions 13, respectively. Let G1 be
a cyclic additive group of prime order q.
Definition 1: Collusion Attack Algorithm with k-traitors
(k-CAA problem): Given P , sP , {e1 , e2 , . . . , ek Zq }, and
{(1/(s + e1 ))P, (1/(s + e2 ))P, . . . , (1/(s + ek ))P } for an integer k and s Zq , P G1 , it is infeasible to compute (1/(s +
/ {e1 , e2 , . . . , ek }.
e0 ))P , where e0
Definition 2: Divisible computation DiffieHellman problem (DCDH problem): Given xP and yP for x, y Zq , P
G1 , it is infeasible to compute xy 1 P .
Definition 3: Computational DiffieHellman problem (CDH
problem): Given aP and bP for a, b Zq , P G1 , it is
infeasible to compute abP .
Let Ek (M )/Dk (M ) be a Xor operation to encrypt/decrypt
a message M with key k. The Hash, Extract, Execute, Reveal,
Send, Corrupt, and Test queries are used to simulate real attacks
(refer to Tables IIIV). In the following, we show that the proposed scheme is secure under random oracle through Theorems
13. Theorem 4 is introduced to prove user anonymity and user
untraceability of the proposed scheme. Note that the adversary
B maintains four hash lists, namely, as LH1 , LH2 , LH3 , and
LH4 , and all hash lists are initially empty.

TABLE IV
S IMULATION OF E XECUTE , R EVEAL , AND T EST Q UERIES

Theorem 1: Let H1 , H2 , H3 , and H4 be four random oracles. If an adversary A can successfully violate the schemes

TSAI AND LO: AUTHENTICATION SCHEME FOR DISTRIBUTED MOBILE CLOUD COMPUTING SERVICES

user-to-service-provider authentication, the adversary B can

use the adversary A to solve the k-CAA problem.
Proof: First, B learns an instance {P, sP, {e1 , e2 , . . . , ek
Zq }, (1/(s+e1 ))P, {(1/(s+e2 ))P, . . . , (1/(s+ek ))P }} of
the k-CAA problem. In order to solve the k-CAA problem,
B intends to compute (1/(s + e0 ))P . B then runs the system
set up algorithm in order to generate all public parameters
{G1 , G2 , e, H1 , H2 , H3 , H4 , h, P, Ppub , E(), D()}. Next, B
interacts with A as follows.
H1 hash query: When A invokes an H1 query on IDi , B
checks whether IDi exists in LH1 . If the latter is found in LH1 ,
B returns h1 to A; otherwise, B computes h1 = H1 (IDi ) and
then stores a new tuple (IDi , h1 ) in LH1 . Next, B returns h1 to A.
H2 hash query: If A invokes an H2 query on e(Z, bP ), B
checks whether e(Z, bP ) exists in LH2 . If the latter is found in
LH2 , B returns h2 to A; otherwise, B computes h2 = H2 (Z b )
and then stores a new tuple (Z b , h2 ) in LH2 . Next, B returns
h2 to A.
H3 hash query: Upon receiving the H3 query request on (IDi , Z, IDj , w, Kij ) from A, B checks whether
(IDi , Z, IDj , w, Kij ) exists in LH3 . If (IDi , Z, IDj , w, Kij ) is
found in LH3 , B returns h3 to A; otherwise, B computes
h3 = H3 (IDi ZIDj wKij ) and then stores a new tuple
(IDi , Z, IDj , w, Kij , h3 ) in LH3 . Next, B returns h3 to A.
H4 hash query: When A invokes an H4 query on
(Kij , Z, IDi , IDj ), B checks whether (Kij , Z, IDi , IDj ) exists
in LH4 . If the latter is found in LH4 , B returns h4 to A;
otherwise, B computes h4 = H4 (Kij ZIDi IDj ) and then
stores a new tuple (Kij , Z, IDi , IDj , h4 ) in LH4 . Next, B
returns h4 to A.
Extract: When A invokes an Extract query on IDi , B
checks whether H1 (IDi ) {e1 , e2 , . . . , ek Zq }. If not, B
returns a failure message to A and terminates this query. We
denote this event as E1 . Next, B checks whether IDi is on
LH1 . If IDi is found in LH1 , B sends Si back to A. Otherwise,
B computes Si = (1/(s + H1 (IDi ))P and then sends Si back
to A.
Send Query: Send queries are divided into five types:
Send(Start, Ui ), Send(Login request, SPj ), Send(Z, Ui ),
Send((K2 , C1 ), SPj ), and Send(Di , Ui ). Each Send query is
described as follows.
1) Send(Start, Ui ): When an adversary A invokes a
Send(Start, Ui ) query, B returns a login request to A.
2) Send(Login request, SPj ): When an adversary A invokes
a Send(Login request, SPj ) query, B computes Z = e(P,
P )a and then returns Z to A, where a is a random number.
3) Send(Z, Ui ): When an adversary A invokes a Send(Z,
Ui ) query, B checks whether H1 (IDi ) {e1 , e2 , . . . ,
ek Zq }. If not, B returns a failure message to A and
terminates this query. We denote this event as E2 . B then
computes Kij = H2 (Z b ), K2 = bPpub +H1 (IDj )bP , w =
bPpub + H1 (IDi )bP ), si = (1/(b+H3 (IDi |ZIDj w
Kij ))Sj , and C1 = EKij (IDi si w), where b is a random number. B then returns (K2 , C1 ) to A.
4) Send((K2 , C1 ), SPj ): When an adversary A invokes a
Send((K2 , C1 ), SPj ) query, B computes Kij = H2 (e(K2 ,
Sj )a ), (IDi si w) = DKij (C1 ), and Qi = Ppub +
H1 (IDi )P . B then checks whether e(si , w + H3 (IDi 

811

ZIDj wKij )Qi ) is the same as e(P, P ). If the

equation holds, B computes Di = H4 (Kij ZIDi IDj )
and returns Di to A. Otherwise, B returns a rejection
message to A.
5) Send(Di , Ui ): When an adversary A invokes a
Send(Di , Ui ) query, B computes Di = H4 (Kij ZIDi 
IDj ) and then checks whether the computed Di is the
same as the received Di . If they are equivalent, B authenticates A. Otherwise, B rejects this login request.
Analysis: An adversary is said to violate user-to-serviceprovider authentication if they can forge the authentic message (w, si ) without knowing the users private key. In this
scenario, A returns a fake signature (w , si ) on the message
(IDi ZIDj wKij ) to obtain identity IDi . This fake signature
(w , si ) can pass the verification process based on (10). If
H1 (IDi ) is in {e1 , e2 , . . . , ek Zq }, the message failure
is returned. We denote this event as E3 . Otherwise, B can
successfully solve the k-CAA problem, since A generates a tu/ {e1 , e2 , . . . , ek Zq }, (1/(s + ei ))P
/
ple (H1 (IDi ) = ei
{(1/(s + e1 ))P, (1/(s + e2 ))P, . . . , (1/(s + ek ))P }). The advantage of B can be analyzed as follows.
Let  be the advantage of B, and let be the advantage
of breaking the proposed scheme. The outputs of each Hash,
Extract, and Send(Z, Ui ) query are valid unless the events E1 ,
E2 , and E3 occurred, respectively. In other words, B can use
A to break the k-CAA problem if none of the events E1 , E2 ,
and E3 occur. Thus, the probability for B to break the k-CAA
problem successfully is

qE +qS 

qE
qH 1 qE
Pr[E1 E2 E3 ] =
qH 1
qH 1
where A makes qH1 times of H1 query, qE times of Extract
query, and qS times of Send(Z, Ui ). The probability that A
generates a fake signature (w , si ) without invoking H3 query
is (1/2k ), where k is the bit length of the result from H3 hash
query. Thus, the advantage of B is


qE +qS 

qE
qH 1 qE
1

k
.
2
qH 1
qH 1
Theorem 2: Let H1 , H2 , H3 , and H4 be four random
oracles. If an adversary A can violate the service-provider-touser authentication of the proposed scheme successfully, an
adversary B can use adversary A to solve the DCDH problem.
Proof: First, B runs the system set up algorithm to generate
all public parameters {G1 , G2 , e, H1 , H2 , H3 , H4 , h, P, Ppub ,
E(), D()}. B then interacts with A as follows.
H1 hash query: When A invokes an H1 query on IDj , B
checks whether IDj exists in LH1 . If the latter is found in LH1 ,
B returns h1 to A; otherwise, B computes h1 = H1 (IDj ) and
then stores a new tuple (IDj , h1 ) in LH1 . Next, B returns h1 to A.
H2 hash query: If A invokes an H2 query on e(Z, bP ),
B checks whether e(Z, bP ) exists in LH2 . If the latter is
found in LH2 , B returns h2 to A; otherwise, B computes
h2 = H2 (e(Z, bP )) and then stores a new tuple (e(Z, bP ), h2 )
in LH2 . Next, B returns h2 to A.
H3 hash query: Upon receiving the H3 query request on (IDi , Z, IDj , w, Kij ) from A, B checks whether

812

(IDi , Z, IDj , w, Kij ) exists in LH3 . If (IDi , Z, IDj , w, Kij ) is

found in LH3 , B returns h3 to A; otherwise, B computes
h3 = H3 (IDi ZIDj wKij ) and then stores a new tuple
(IDi , Z, IDj , w, Kij , h3 ) in LH3 . Next, B returns h3 to A.
H4 hash query: When A invokes an H4 query on
(Kij , Z, IDi , IDj ), B checks whether (Kij , Z, IDi , IDj ) exists
in LH4 . If the latter is found in LH4 , B returns h4 to A;
otherwise, B computes h4 = H4 (Kij Z, IDi IDj ) and then
stores a new tuple (Kij , Z, IDi , IDj , h4 ) in LH4 . Next, B
returns h4 to A.
Send Query: Send queries are divided into five types:
Send(Start, Ui ), Send(Login request, SPj ), Send(Z, Ui ),
Send((K2 , C1 ), SPj ), and Send(Di , Ui ). Each Send query is
described as follows.
1) Send(Start, Ui ): When A invokes a Send(Start, Ui ) query,
B returns a login request to A.
2) Send(Login request, SPj ): When A invokes a Send(Login
request, SPj ) query, B computes Z = e(P, P )a and then
returns Z to A, where a is a random number.
3) Send(Z, Ui ): When A invokes a Send(Z, Ui ) query, B
computes Kij = H2 (Z b ), K2 = bPpub +H1 (IDj )bP , w =
bPpub + H1 (IDi )bP ), si = (1/(b+H3 (IDi |ZIDj w
Kij )))Sj , and C1 = EKij (IDi si w), where b is a random number. B then returns (K2 , C1 ) to A.
4) Send((K2 , C1 ), SPj ): When A invokes a Send((K2 ,
C1 ), SPj ) query, B computes Kij = H2 (e(K2 , Sj )a ),
(IDi si w) = DKij (C1 ), and Qi = Ppub + H1 (IDi )P .
B then checks whether e(si , w + H3 (IDi ZIDj w
Kij )Qi ) is the same as e(P, P ). If the equation holds,
B computes Di = H4 (Kij ZIDi IDj ) and then returns
Di to A; otherwise, B returns a rejection message to A.
5) Send(Di , Ui ): When A invokes a Send(Di , Ui ) query,
B computes Di = H4 (Kij ZIDi IDj ) and then checks
whether the computed Di is the same as the received Di .
If they are equivalent, B authenticates A; otherwise, B
rejects this login request.
Analysis: Let qu be the number of instances of user authentication in the game, l be the bit length of the ECC point,
and k be the bit length of the result of H4 query. Adversary
A is able to successfully break the user-to-service-provider
authentication if A can forge authentic message Di . There are
three different conditions to forge authentic message Di .
1) Adversary A correctly guesses the value of Di without
calling the H4 query and knowing Kij . In this situation,
the probability for A to correctly guess the value of Di is
less than (1/2k ).
2) Adversary A does not need to guess the value of Di or
any other parameters, if the authentic message (Z  , K2 ) in
this session is the same as the one in the previous session.
The probability for A to correctly guess the value of Di
2
in this situation is less than (qu /2l ).
3) Adversary A wants to obtain the session key Kij in
order to break the service-provider-to-user authentication successfully. Let Ppub + H1 (IDj ) = xP , and K2 =
bPpub + bH1 (IDj ) = bxP for some b, x, a Zq . Adversary B needs to solve the DCDH problem in order to

IEEE SYSTEMS JOURNAL, VOL. 9, NO. 3, SEPTEMBER 2015

obtain bP . The probability for A to correctly guess the

value of Di in this situation is  .
In summary, if the advantage for adversary A to masquerade
as a legal service provider is a nonnegligible advantage , then
adversary B can solve the DCDH problem with the advantage
2
 (1/2k ) (qu /2l ).
Theorem 3: There exists an adversary B who can use an
adversary A to solve the CDH problem if A can correctly guess
the value of the coin b tossed in the Test query.
Proof: Let Ask be the event that the session key Kij is
learned by A, Test(Ui ) be the event that a Test query to the
oracle of Ui is invoked successfully, E U2SP be the event that
user-to-service-provider authentication of the proposed authentication scheme is broken by A, and Test(SPj ) be the event
that a Test query to the oracle of SPj is successfully invoked.
Because of the constraints on the Test query, the following
probability inequality equation holds:


Pr [Ask Test(Ui )] + Pr Ask Test(SPj ) E U2SP


+ Pr Ask Test(SPj ) E U2SP .
2
Let PrU2SP be the probability for A to break user-to-serviceprovider authentication, i.e., PrU2SP = Pr[Ask Test(SPj )
E U2SP ]. Then, we have


Pr [Ask Test(Ui )] + Pr Ask Test(SPj ) E U2SP

PrU2SP .
2
Obviously, Pr[Ask Test(SPj )E U2SP ] = 0, and we have

Pr [Ask Test(Ui )] PrU2SP .

2
In Theorems 1 and 2, it was shown that the probability
PrU2SP is negligible and is nonnegligible. Thus, the probability (/2) PrU2SP is also nonnegligible. As a result, if
adversary A can correctly guess the value of coin b tossed in
the Test query, the CDH problem can be solved.
Theorem 4: There exists an adversary B who can use another adversary A to solve the DCDH problem if adversary A
can break initiator anonymity and initiator untraceability of the
proposed scheme.
Proof: If an adversary wants to break initiator anonymity
and untraceability of the proposed scheme, the adversary must
have the session key Kij = H2 (e(P, P )ab ) in order to decrypt
message C1 . Theorem 2 has shown that the probability for an
adversary to learn the session key is the same as the probability
for an adversary to solve the DCDH problem. Thus, the proposed scheme can achieve both initiator anonymity and initiator
untraceability.
V. C OMPARISONS AND P ERFORMANCE
This section first compares the proposed authentication
scheme with existing authentication schemes [32], [35], [37]
[39], [41] in terms of security. Table V shows the results of
comparison. Notice that most of the existing schemes such as
the ones in [35], [37][39], and [41] and [42] are designed for
clientserver environment, and these schemes are not suitable
to be directly applied to distributed cloud services environment.

TSAI AND LO: AUTHENTICATION SCHEME FOR DISTRIBUTED MOBILE CLOUD COMPUTING SERVICES

813

TABLE V
C OMPARISONS W ITH OTHER E XISTING S CHEMES IN T ERMS OF S ECURITY P ROPERTIES

The scheme described in [32] is suitable for distributed mobile

cloud services environment; however, it does not support user
anonymity and user untraceability. Therefore, one of the design
goals for the proposed scheme is to offer user anonymity
and user untraceability to preserve user privacy. In order to
evaluate security strength of a proposed authentication scheme,
security analysis based on formal proof technique is usually
conducted. From Table V, it is very obvious that only our
scheme and the scheme proposed in [41] have conducted formal
proof process in terms of security strength. Existing schemes
introduced in [35] and [37][39] are also vulnerable to several
security threats. For example, the schemes in [35] and [37] are
vulnerable to replay attack, time synchronization problem, and
forgery attack; the existing scheme in [38] is vulnerable to time
synchronization problem and forgery attack; and the scheme
in [39] is vulnerable to offline password guessing attack and
forgery attack. Next, we analyze the computation costs of the
proposed scheme.
Let Tb be the time required to perform a bilinear pairing
operation, and let Tm be the time required to perform a multiplication point operation. In general, the time required to perform
a one-way hash function is much less than the time consumed
for the two operations previously mentioned. Therefore, the
time consumed by hash operations within our scheme is ignored
in Table VI. As bitwise Exclusive-OR operation and bitwise
concatenation operation both are much faster than one-way
hash function operation, we also ignore time consumption from
both operations within one user authentication session when
drawing Table VI. Efficiency analysis of our scheme in terms
of computation time is presented in Table VI. During the
registration phase, the SCG requires only 1Tm to compute one
private key for a mobile user Ui or a service provider SPj .
During the user authentication phase, a user Ui requires 3Tm
to authenticate the targeted service provider SPj , provided that
bPpub , bP , and bH1 (IDi )P are precomputed before authentication. The targeted service provider SPj requires 2Tb + 4Tm to
authenticate the corresponding user Ui .
In order to evaluate the performance efficiency of the proposed scheme on a mobile device, one HTC Desire HD intelligent cellular phone is used as measurement platform. The
HTC Desire HD phone has single-core 1-GHz Qualcomm
8255 Snapdragon CPU and 768-MB RAM. Android operating
system was installed on this HTC mobile phone. Since Android

TABLE VI
E FFICIENCY A NALYSIS OF THE P ROPOSED S CHEME

supports a subset of Java core libraries, the jPBC library [45],

[46] was also adopted and installed onto the HTC mobile phone.
In our experiments, the equation of the elliptical curve was
y 2 = x3 + x over the field Fq for prime q = 3 mod 4. The
size of the order r was set to 160 bits. The time required to
perform the elliptic curve scalar multiplication operation is only
42 ms using HTC Desire HD. Therefore, if a 1-GHz mobile
phone (such as HTC Desire HD) is used and the ECC key
size is 256 bits, the total time consumption on a mobile phone
during each session is only 0.126 s. The security strength of a
256-bit ECC key is equivalent to an RSA key with 3072 bits
[25]. The proposed scheme is therefore efficient under this high
security level. As newly deployed mobile devices are typically
equipped with higher clock speed CPU chips, the proposed
authentication scheme is therefore very practical for current
mobile wireless environments. Notice that the jPBC library
website [45] has posted its own benchmark results for ECC and
pairing operations. From the Testbed 1 benchmark results of
jPBC, we can know that an elliptic curve operation only took
2.841 ms for the experimental device equipped with Intel Core2
Quad-core 2.40-GHz CPU and 3-GB RAM.
VI. C ONCLUSION
This paper has proposed a new anonymous authentication
scheme for distributed mobile cloud services environment.
The proposed scheme allows a mobile user to access multiple
services from different mobile cloud service providers using
only one single private key. The proposed scheme supports
mutual authentication, key exchange, user anonymity, and user
untraceability. Security analyses have shown that the proposed
authentication scheme withstands all major security threats and

814

IEEE SYSTEMS JOURNAL, VOL. 9, NO. 3, SEPTEMBER 2015

meets general security requirements. In addition, no verification

table is required to be implemented at service providers or
the trusted SCG service. In the proposed scheme, the trusted
SCG service is not involved in individual user authentication
process. With this design, our scheme reduces authentication
processing time required by communication and computation
between cloud service providers and traditional trusted third
party service. As security strength of the proposed scheme is
based on nonce and bilinear pairing, the scheme itself is not
subject to time synchronization problem and can be easily implemented in distributed mobile cloud computing environment.
R EFERENCES
[1] N. Fernando, S. W. Loke, and W. Rahayu, Mobile cloud computing: A
survey, Future Gen. Comput. Sys., vol. 29, no. 1, pp. 84106, Jan. 2013.
[2] G. Le, K. Xu, M. Song, and J. Song, A survey on research on mobile
cloud computing, in Proc. 10th IEEE/ACIS/Int. Conf. Comput. Inf. Sci.,
2011, pp. 387392.
[3] X. F. Qiu, J. W. Liu, and P. C. Zhao, Secure cloud computing architecture
on mobile Internet, in Proc. 2nd Int. Conf. AIMSEC, 2011, pp. 619622.
[4] W. G. Song and X. L. Su, Review of mobile cloud computing, in Proc.
IEEE 3rd ICCSN, 2011, pp. 14.
[5] ABI Research Report, Mobile Cloud Applications. [Online]. Available:
http://www.abiresearch.com/research/1003385-Mobile+Cloud+
Computing
[6] P. Urien, E. Marie, and C. Kiennert, An innovative solution for cloud
computing authentication: Grids of EAP-TLS smart cards, in Proc. 5th
Int. Conf. Digit. Telecommun., 2010, pp. 2227.
[7] H. Ahn, H. Chang, C. Jang, and E. Choi, User authentication platform
using provisioning in cloud computing environment, in Proc. ACN CCIS,
2011, vol. 199, pp. 132138.
[8] H. Chang and E. Choi, User authentication in cloud computing, in Proc.
UCMA CCIS, 2011, vol. 151, pp. 338342.
[9] J. L. Tsai, N. W. Lo, and T. C. Wu, Secure delegation-based authentication protocol for wireless roaming service, IEEE Commun. Lett., vol. 16,
no. 7, pp. 11001102, Jul. 2012.
[10] W. Itani, A. Kayssi, and A. Chehab, Privacy as a service: Privacy-aware
data storage and processing in cloud computing architectures, in Proc.
IEEE Int. Conf. Dependable Auton. Secure Comput., 2009, pp. 711716.
[11] S. Pearson, Taking account of privacy when designing cloud computing
services, in Proc. CLOUD ICSE Workshop Softw. Eng. Challenges Cloud
Comput., 2009, pp. 4452.
[12] H. Takabi, J. B. D. Joshi, and G. Ahn, Security and privacy challenges
in cloud computing environments, IEEE Security Privacy, vol. 8, no. 6,
pp. 2431, Nov./Dec. 2010.
[13] Z. Xiao and Y. Xiao, Security and privacy in cloud computing, IEEE
Commun. Surveys Tuts., vol. 15, no. 2, pp. 843859, Jul. 2012.
[14] OASIS, SAML version 2.0 errata 05, May 2012. [Online]. Available:
http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata2.0.pdf
[15] OpenID Foundation, OpenID Authentication 2.0, 2007. [Online]. Available: http://openid.net/specs/openid-authentication-2_0.html
[16] OpenID Foundation, OpenID Specifications, 2007. [Online]. Available:
http://openid.net/developers/specs/
[17] OpenID Foundation, The OpenID User Interface Extension 1.0, Draft
0.5, 2009. [Online]. Available: http://svn.openid.net/repos/specifications/
user_interface/1.0/trunk/openid-user-interface-extension-1_0.html
[18] OpenID Foundation, The OpenID User Interface Extension Best Practices
for Identity Providers 2009. [Online]. Available: http://wiki.openid.net/w/
page/12995153/Details-of-UX-Best-Practices-for-OPs
[19] Google, SAML Single Sign-On (SSO) Service for Google Apps,
2008. [Online]. Available: https://developers.google.com/google-apps/
sso/saml_reference_implementation?hl=zh-tw
[20] Google, Google Security and Product Safety, 2009. [Online]. Available:
http://www.google.com/about/company/security.html
[21] Microsoft, Windows Live ID, 2011. [Online]. Available: https://account.
live.com/
[22] A. Armando et al., An authentication flaw in browser-based single
sign-on protocols: Impact and remediations, Comput. Security, vol. 33,
pp. 4158, Mar. 2013.
[23] N. Koblitz, Elliptic curve cryptosystems, Math. Comput., vol. 48,
no. 177, pp. 203209, 1987.

[24] V. Miller, Use of elliptic curves in cryptography, in Proc. CRYPTO,

1986, pp. 417426.
[25] Recommendation for key managementPart 1: General, Gaithersburg,
MD, USA, Aug. 2005, Special Publication 800-57.
[26] D. Boneh and M. Franklin, Identity-based encryption from the Weil
pairing, in Advances in Cryptology-CRYPTO, vol. 2139, LNCS. Berlin,
Germany: Springer-Verlag, 2001, pp. 213229.
[27] J. C. Cha and J. H. Cheon, An identity-based signature from gap
DiffieHellman groups, in Public Key Cryptography PKC, vol. 2139,
LNCS. Berlin, Germany: Springer-Verlag, 2003, pp. 1830.
[28] H. Z. Du and Q. Y. Wen, An efficient identity-based short signature
scheme from bilinear pairings, in Proc. Int. Conf. CIS, 2007, pp. 725729.
[29] H. W. Lim and M. Robshaw, On identity-based cryptography and grid
computing, in Proc. ICCS, 2004, pp. 474477.
[30] H. W. Lim and M. Robshaw, A dynamic key infrastructure for GRID, in
Proc. EGC, 2005, pp. 255264.
[31] W. Mao, An identity-based non-interactive authentication framework for
computational grids, HP Labs, Palo Alto, CA, USA, Tech. Rep. HPL2004-96, Jun. 2004.
[32] H. Li, Y. Dai, L. Tian, and H. Yang, Identity-based authentication for
cloud computing, in Proc. CloudCom, 2009, pp. 157166.
[33] V. S. Hughes, Information hiding, anonymity and privacy a modular
approach, J. Comput. Security, vol. 12, no. 1, pp. 336, Jan. 2004.
[34] J. L. Tsai, N. W. Lo, and T. C. Wu, Novel anonymous authentication
scheme using smart cards, IEEE Trans. Ind. Informat., vol. 9, no. 4,
pp. 20042013, Nov. 2013.
[35] M. L. Das, A. Saxena, V. P. Gulati, and D. B. Phafstak, A novel remote
user authentication scheme using bilinear pairings, Comput. Security,
vol. 25, no. 3, pp. 184189, May 2006.
[36] J. S. Chou, Y. Chen, and J. Y. Lin, Improvement of Das et al.s remote
user authentication scheme, Cryptology ePrint Archive, 2005. [Online].
Available: http://eprint.iacr.org/2005/450.pdf
[37] T. Goriparthia, M. L. Das, and A. Saxena, An improved bilinear pairing based remote user authentication scheme, Comput. Std. Interfaces,
vol. 31, no. 1, pp. 181185, Jan. 2009.
[38] A. S. Khan Pathan, C. S. Hong, and K. Hee, Bilinear-pairing-based
remote user authentication schemes using smart cards, in Proc. 3rd Int.
Conf. Ubiquitous Inf. Manage. Commun., 2009, pp. 356361.
[39] T. H. Chen, H. L. Yeh, and W. K. Shih, An advanced ECC dynamic IDbased remote mutual authentication scheme for cloud computing, in Proc.
5th FTRA Int. Confe. Multimedia Ubiquitous Eng., 2011, pp. 155159.
[40] D. Wang, Y. Mei, C. G. Ma, and Z. S. Cui, Comments on an advanced
dynamic ID-based authentication scheme for cloud computing, in Web
Information Systems and Mining, vol. 752, LNCS. Berlin, Germany:
Springer-Verlag, 2012, pp. 246253.
[41] H. Sun, Q. Wen, H. Zhang, and Z. Jin, A novel remote user authentication
and key agreement scheme for mobile clientserver environment, Appl.
Math. Inf. Sci., vol. 7, no. 4, pp. 13651374, 2013.
[42] M. Bellare, D. Pointcheval, and P. Rogaway, Authenticated key agreement secure against dictionary attacks, in Proc. EUROCRYPT, 2000,
pp. 139155.
[43] M. Jakpbsson and D. Pointcheval, Mutual authentication for low-power
mobile devices, in Proc. FC, Feb. 1922, 2001, pp. 178195.
[44] F. Bao, R. H. Deng, and H. Zhu, Variations of DiffieHellman problem,
in Proc. 5th ICICS, 2003, pp. 301312.
[45] A. D. Caro and V. Iovino, jPBC: Java pairing based cryptography, in
Proc. IEEE ISCC, 2011, pp. 850855.
[46] jPBC: Java Pairing Based Cryptography. [Online]. Available: http://gas.
dia.unisa.it/projects/jpbc

Jia-Lun Tsai received the M.S. degree from National Chiao Tung University, Hsinchu, Taiwan, in
2007 and the Ph.D. degree from National Taiwan
University of Science and Technology (NTUST),
Taipei, Taiwan, in 2013.
He is currently with the Department of Information Management, NTUST and Taiwan Information
Security Center at National Taiwan University of
Science and Technology. He has authored or coauthored over 20 papers on journals and conferences.
His research interests include cryptography, wireless
security, and network security.

TSAI AND LO: AUTHENTICATION SCHEME FOR DISTRIBUTED MOBILE CLOUD COMPUTING SERVICES

Nai-Wei Lo received the B.S. degree in engineering science from National Cheng Kung University,
Tainan, Taiwan, in 1988 and the M.S. and Ph.D. degrees in computer science and electrical engineering
from the State University of New York, Stony Brook,
NY, USA, in 1992 and 1998, respectively.
He is currently an Associate Professor in the
Department of Information Management with National Taiwan University of Science and Technology,
Taipei, Taiwan. His research interests include cryptography, radio-frequency identification applications
and security, wireless network routing and security, web technology, and fault
tolerance.
Prof. Lo is a member of the IEEE Communications Society.

815