An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem

computers & security 28 (2009) 138–143

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem Jen-Ho Yanga, Chin-Chen Changa,b,* a

Department of Computer Science and Information Engineering, National Chung Cheng University, 160 San-Hsing, Ming-Hsiung, Chiayi 621, Taiwan, ROC b Department of Information Engineering and Computer Science, Feng Chia University, 100 Wenhwa Rd., Seatwen, Taichung 40724, Taiwan, ROC

article info

abstract

Article history:

Recently, remote user authentication schemes are implemented on elliptic curve crypto-

Received 21 August 2008

system (ECC) to reduce the computation loads for mobile devices. However, most remote

Accepted 26 November 2008

user authentication schemes on ECC are based on public-key cryptosystem, in which the public key in the system requires the associated certificate to prove its validity. Thus, the

Keywords:

user needs to perform additional computations to verify the certificate in these schemes. In

ID-based

addition, we find these schemes do not provide mutual authentication or a session key

Mutual authentication

agreement between the user and the remote server. Therefore, we propose an ID-based

Key agreement

remote mutual authentication with key agreement scheme on ECC in this paper. Based

Elliptic curve

upon the ID-based concept, the proposed scheme does not require public keys for users

Cryptosystem

such that the additional computations for certificates can be reduced. Moreover, the proposed scheme not only provides mutual authentication but also supports a session key agreement between the user and the server. Compared with the related works, the proposed scheme is more efficient and practical for mobile devices. ª 2008 Elsevier Ltd. All rights reserved.

1.

Introduction

With the rapidity of the development on electronic technology, various mobile devices (e.g., cell phone, PDA, and notebook PC) are produced to make human life more convenient. It also changes some traditional transactions into electronic transactions. Due to the mobile devices are portable, people can accomplish the electronic transactions by mobile devices anytime and anywhere. Moreover, the merchant can reduce the cost without maintaining a physical store. Thus, more and more electronic transactions for mobile devices are implemented on Internet or wireless networks.

In electronic transactions, remote user authentication in insecure channel is an important issue. For example, when a user wants to login a remote server and access its services, such as on-line shopping and pay-TV, both user and server must authenticate the identity with each other for the fair transaction. Generally, the remote user authentication can be implemented by the traditional public-key cryptosystems (PKC), such as Rivest et al. (1978) and ElGamal (1985). However, PKC needs to compute the modular exponentiation, which is a time-consuming operation. In addition, the computation ability and battery capacity of mobile devices are limited. Therefore, the PKC-based remote authentication schemes are

* Corresponding author. Department of Information Engineering and Computer Science, Feng Chia University, 100 Wenhwa Rd., Seatwen, Taichung 40724, Taiwan, ROC. Tel.: þ8864 24517250x3790; fax: þ886 27066495. E-mail addresses: [email protected] (J.-H. Yang), [email protected] (C.-C. Chang). 0167-4048/$ – see front matter ª 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2008.11.008

computers & security 28 (2009) 138–143

not suitable for mobile devices. To solve the above problems, various authentication schemes based on elliptic curve cryptosystem (ECC) are proposed (Abichar et al., 2007; Choie et al., 2005; Cao et al., 2008; Chen and Song, 2007; Jiang et al., 2007; Jia et al., 2006; Liao and Wang, 2007; Tian et al., 2005; Wu et al., 2005). ECC was first proposed by Miller (1986) and Koblitz (1987), and its security was based upon the difficulty of elliptic curve discrete logarithm problem (ECDLP). Compared with PKC, ECC offers a better performance because it can achieve the same security with a smaller key size. For example, 160-bit ECC and 1024-bit RSA have the same security level in practice (Hankerson et al., 2004). Thus, ECC-based authentication schemes are more suitable for mobile devices than PKC-based ones. However, ECC-based authentication schemes still have some disadvantages while they are implemented on mobile devices. Like PKC, ECC also needs a key authentication center (KAC) to maintain the certificates for users’ public keys. When the number of users is increased, KAC needs a large storage space to store users’ public keys and certificates. In addition, users need additional computations to verify the other’s certificate in these schemes (Abichar et al., 2007; Chen and Song, 2007; Jiang et al., 2007; Jia et al., 2006; Liao and Wang, 2007; Tian et al., 2005). This causes the computation loads and the energy costs of mobile devices very high. To solve the above problems, several ID-based authentication schemes on ECC are proposed (Choie et al., 2005; Cao et al., 2008; Wu et al., 2005). The ID-based concept was first introduced by Shamir (1984). In an ID-based scheme, the user utilizes his unique identity (e.g., name, address, or email address) as his public key. Thus, the user cannot claim that the authentication information containing his identity does not belong to him. Without public keys, the users do not need to perform additional computations to verify the corresponding certificates. Moreover, KAC does not need to maintain a large public-key table because there is no public key in the ID-based schemes. However, the previous ID-based authentication schemes on ECC (Choie et al., 2005; Wu et al., 2005) are constructed by using bilinear pairings, which is an expensive operation (Cao et al., 2008). For mobile devices, the computation and energy costs of the pairing-based schemes are higher than those of ECDLP-based schemes. On the other hand, we also find some disadvantages in the previous user authentication schemes on ECC. That is, some of these schemes do not provide the mutual authentication (Chen and Song, 2007; Jiang et al., 2007; Jia et al., 2006; Wu et al., 2005) or the session key agreement (Cao et al., 2008; Chen and Song, 2007; Jia et al., 2006; Wu et al., 2005) between the user and the server. For some applications, the user and the server need a session key to encrypt the secret information for the subsequent communications after they authenticate with each other. According to the above descriptions, we propose an ID-based remote mutual authentication with key agreement scheme based upon ECC in this paper. The main contributions of the proposed scheme are shown as follows. 1. Efficiency: Compared with the pairings-based authentication schemes, the proposed scheme has less computation loads for mobile devices because it is based upon the computation of point multiplication on ECC. Moreover, the

139

proposed scheme does not need to perform additional computations to verify the certificates because it is constructed by the ID-based concept. Without additional computations for certificate, the energy costs and computation loads of mobile devices can be reduced. Therefore, the proposed scheme provides efficiency for the users of mobile devices. 2. Reliability: For the security considerations, both the user and the server need to check the other party’s validity in electronic transactions. However, some of the previous authentication schemes on ECC only allow the server to authenticate the user’s identity. This causes that an attacker can easily impersonate the server to steal the user’s secret information. To solve this problem, the proposed scheme provides the mutual authentication between the user and the server. Therefore, the mutual authentication in the proposed scheme provides the reliability between user and the server. 3. Flexibility: Some of the previous authentication schemes on ECC only provide the user authentication without a session key agreement for users and a remote server. Thus, these schemes can be only implemented to the remote login system. For some applications, such as on-line shopping and pay-TV, it is necessary to share a session key between the user and the server for the subsequent transactions after they mutually authenticate with each other. However, the proposed scheme not only accomplishes the mutual authentication but also provides a session key agreement between a user and the remote server. Thus, the proposed scheme is flexible for many applications. 4. Scalability: Based upon the ID-based concept, the proposed scheme utilizes each user’s unique identity to accomplish the user authentication. Thus, the server does not need to maintain a large public-key table while the number of users becomes very large. Because the user authentication just involves user’s identity, the server can easily confirm that a user is valid according to his identity. That is, the server can offer its services to a large number of users such that it can make more profits in electronic transactions. Therefore, the proposed scheme provides high scalability for the user addition in electronic transactions. The rest of our paper is organized as follows. First, the basic concept of ECC and Tian et al.’s authentication scheme on ECC (Tian et al., 2005) are presented in Section 2. Then, the proposed scheme is shown in Section 3. The security and performance analyses are discussed in Section 4. Finally, the conclusions are given in Section 5.

2.

Preliminaries

In this section, we first introduce the basic concepts of ECC. Then, we review Tian et al.’s remote user authentication scheme on ECC (Tian et al., 2005).

2.1.

Elliptic curve cryptosystem (ECC)

An elliptic curve is a cubic equation of the form y2 þ axy þ by ¼ x3 þ cx2 þ dx þ e, where a, b, c, d, and e are real

140

computers & security 28 (2009) 138–143

numbers. In an elliptic curve cryptosystem (ECC), the elliptic curve equation is defined as the form of Ep(a, b): y2 ¼ x3 þ ax þ b(mod p) over a prime finite field Fp, where a, b˛Fp, p > 3, and 4a3 þ 27b2 s 0(mod p) (Hankerson et al., 2004). Given an integer s˛Fp and a point P˛Ep(a, b), the pointmultiplication s$P over Ep(a, b) can be defined as s$P ¼ PþPþ/þP |fflfflfflfflffl{zfflfflfflfflffl}. More details of ECC definitions can be found in s times

Hankerson et al. (2004). Generally, the security of ECC relies on the difficulties of the following problems (Li et al., 2008). Definition 1. Given two points P and Q over Ep(a, b), the elliptic curve discrete logarithm problem (ECDLP) is to find an integer s˛Fp such that Q ¼ s$P. Definition 2. Given three points P, s$P, and t$P over Ep(a, b) for s; t˛Fp , the computational Diffie–Hellman problem (CDLP) is to find the point (s$t)$P over Ep(a, b). Definition 3. Given two points P and Q¼s$P þ t$P over Ep(a, b) for s; t˛Fp , the elliptic curve factorization problem (ECFP) is to find two points s$P and t$P over Ep(a, b). Up to now, there is no algorithm to be able to solve any of the above problems (Li et al., 2008).

2.2. Tian et al.’s authentication with key agreement scheme on ECC In this subsection, we introduce Tian et al.’s authentication with key agreement scheme on ECC (Tian et al., 2005). There are three participants in Tian et al.’s scheme: user A, user B, and the certificate authority (CA). In their scheme, A and B want to authenticate with each other and share a session key. Moreover, CA is responsible for initializing the system parameters and generating the certificates of A and B. First, CA chooses an elliptic curve equation Ep(a, b) that is defined in Subsection 2.1. Note that the order of Ep(a, b) is n. Then, CA selects a public point P with the order n over Ep(a, b) and computes its private/public key pair (qCA, QCA) by QCA ¼ qCA$P. Here, we define some parameters used in Tian et al.’s scheme as follows: H($) is a public one-way hash function with 160-bit input size, and ‘‘jj’’ is a binary string concatenation operation. In addition, KDF($) and MAC($) are denoted as a secure key derivation function and message authentication code function (Tian et al., 2005), respectively. Now, we introduce Tian et al.’s scheme as follows.

2.2.1.

Certificate generation phase

Step 1. User A chooses an integer gA ˛Zp to compute GA ¼ gA$P. Then, A sends his identity IDA and GA to CA. Step 2. CA chooses a random integer gCA ˛Zp to compute GCA ¼ gCA$P and GA ¼ GA þ GCA . Then, CA computes cerA ¼ ðQCA ; IDA ; GA ; TA Þ as A’s certificate, where TA is the expiration time of cerA. Finally, CA computes cer0A ¼ HðcerA Þ and sA ¼ gCA $cer0A þ qCA mod n. Then, CA publishes cerA and sends sA to user A. Step 3. User A computes cer0A ¼ HðcerA Þ and qA ¼ sA þ gA $cer0A mod n, where qA is his private key. Then,

A computes his public key by QA ¼ qA$P. Finally, A checks if QA ¼ cer0A $GA þ QCA holds. If the equation holds, A accepts this certificate. Otherwise, he rejects it. Similarly, user B can obtain its private/public key pair (qB, QB) and the corresponding certificate cerB ¼ ðQCA ; IDB ; GB ; TB Þ according to the above steps.

2.2.2.

Authentication with key agreement phase

Step 1. User A confirms the validity of B’s public key by checking if the equation QB ¼ cer0B $GB þ QCA holds. Similarly, B confirms the validity of A’s public key by checking if QA ¼ cer0A $GA þ QCA holds. Step 2. User A randomly chooses a k-bit integer rA and a redundant string l to compute m ¼ ðrA jjlÞ, where k is a system-wide security parameter. Then, A selects an integer dA ˛Zp to compute DA ¼ dA$P and DB ¼ dA$QB. Finally, A computes m0 ¼ m 4 DB$x and sends (DA, m0 ) to B, where DB$x is the x coordinate of point DB over Ep(a, b). Step 3. User B computes DB ¼ qB$DA and m ¼ m0 4 DB$x. Then, B can obtain rA from the most significant k bits of m. And, B randomly chooses a k-bit integer rB to compute y ¼ ErA ðIDB jjrB Þ, where ErA ð$Þ is a secure symmetric encryption cryptosystem by using symmetric key rA. To obtain the session key K, A also computes MacKjjK ¼ KDF(rAjjrBjjIDAjjIDB), where MacK is the message authentication code of K. Note that the lengths of MacK and K are pre-defined. Finally, user B sends y to user A. Step 4. User A decrypts y ¼ ErA ðIDB jjrB Þ by using rA to obtain rB. Thus, A can compute MacKjjK ¼ KDF(rAjjrBjjIDAjjIDB) to obtain the session key K. Then, A computes z ¼ qAH(MacK )$QA þ dA mod n and sends z to B. Step 5. User B checks if z$P ¼ H(MacK ) þ DA holds. If the equation holds, B computes z0 ¼ MACMacK(IDBjjIDA) and sends it to A. Otherwise, the protocol is terminated. Step 6. User A checks if z0 is valid. If z0 is valid, A accepts the session key K. Otherwise, the protocol is terminated. According to Tian et al.’s scheme, we find that the user authentication scheme on ECC using the public key has the following disadvantages. First, CA needs a large storage space to keep all users’ public keys and certificates if the number of users becomes large. Second, the users need additional computations to verify the others’ certificates. These disadvantages make their authentication schemes on ECC unsuitable for mobile devices. To overcome these disadvantages, we propose an ID-based remote mutual authentication with key agreement scheme for mobile devices on ECC in the next section.

3.

The proposed scheme

The proposed scheme provides the mutual authentication and a session key agreement between a user U and a remote

computers & security 28 (2009) 138–143

server S. Note that the server is responsible for initializing the system parameters and distributing a secret key to each user. The proposed scheme is divided into three phases: system initialization phase, user registration phase, and mutual authentication with key agreement phase. Now, we present our scheme as follows.

3.1.

System initializing phase

Step 1. The server chooses an elliptic curve equation Ep(a, b) with order n, which is defined in Subsection 2.1. Step 2. The server S selects a base point P with the order n over Ep(a, b), where n is a large number for the security considerations. Then, S derives its private/public key pair (qS, QS) by computing QS ¼ qS$P. Step 3. The server chooses three secure one-way hash functions H1($):{0, 1} / GP, H2 ð$Þ : f0; 1g/Zp , and H3 ð$Þ : f0; 1g /Zp , where GP is a cyclic addition group that is generated by P over Ep(a, b). Step 4. The server keeps qS in private and publishes {Ep(a, b), P, Qs, H1($), H2($), H3($)}.

3.2.

User registration phase

Step 1. The user U sends his identity IDU to the server. Step 2. The server S computes AIDU ¼ qS $H1 ðIDU Þ˛GP , where AIDU is the authentication key for the user U. Then, S sends AIDU to U in a secure channel. Step 3. After receiving AIDU , U checks if AIDU $P ¼ QS $H1 ðIDU Þ holds. If the equation holds, U keeps AIDU in private.

3.3.

Mutual authentication with key agreement phase

Step 1. The user U randomly chooses a point RU ¼ (xU, yU)˛Ep(a, b), where xU and yU are x and y coordinates of point RU, respectively. Then, U computes t1 ¼ H2(T1), MU ¼ RU þ t1 $AIDU and RU ¼ xU $P, where T1 is a timestamp denotes the current time. Finally, U sends ðIDU ; MU ; RU ; T1 Þ to the server. Step 2. After receiving ðIDU ; MU ; RU ; T1 Þ, the server S computes QIDU ¼ H1 ðIDU Þ, t1 ¼ H2(T1) and R0U ¼ MU  qS $t1 $QIDU to obtain QIDU ¼ ðxQ ; yQ Þ and R0U ¼ ðx0U ; y0U Þ. Then, S checks if RU ¼ x0U $P holds. If the equation holds, the server confirms that U is valid and x0U ¼ xU . Otherwise, the protocol is terminated. Step 3.The server S randomly chooses a point RS ¼ (xS, yS)˛ Ep(a, b), and then it computes t2 ¼ H2(T2) and MS ¼ RS þ t2 $qs $QIDU . Then, S computes the session key k by the equation k ¼ H3(xQ, xU, xS). Finally, S computes Mk ¼ (k þ xS)$P and sends (MS, Mk, T2) to U. Step 4. After receiving (MS, Mk, T2), the user U computes QIDU ¼ H1 ðIDU Þ, t2 ¼ H2(T2), and R0S ¼ MS  t2 $AIDU to derive QIDU ¼ ðxQ ; yQ Þ and R0U ¼ ðx0S ; y0S Þ. Then, U computes the equations k0 ¼ H3 ðxQ ; xU ; x0S Þ and M0k ¼ ðk0 þ x0S Þ$P to check if M0k ¼ Mk holds. If the equation holds, U can confirm that S is valid and the session key k0 is equal to k. Otherwise, the protocol is terminated.

141

Fig. 1 shows mutual authentication with key agreement phase of the proposed scheme. Basically, the proposed authentication scheme is based upon elliptic curve discrete logarithm problem (ECDLP) and the elliptic curve factorization problem (ECFP). Thus, only point-multiplication operations on elliptic curve are required in the proposed scheme. Compared with the pairing-based authentication schemes (Choie et al., 2005; Jia et al., 2006; Liao and Wang, 2007; Wu et al., 2005), the proposed scheme is more efficient because the bilinear-pairing operation is more expensive than point-multiplication operation on ECC (Cao et al., 2008). Besides, the proposed scheme is constructed by ID-based concept and it utilizes user’s unique identity IDU to compute AIDU for mutual authentication. Thus, the mutual authentication between the user and the server can be accomplished without using public keys. In addition, the users and the server do not need to perform additional computations for verifying the other party’s certificates. Therefore, the proposed scheme provides efficiency. Up to now, some remote user authentication schemes on ECC (Chen and Song, 2007; Jiang et al., 2007; Jia et al., 2006; Wu et al., 2005) only allow the server to authenticate the users’ identities. On the contrary, the users cannot authenticate the validity of the server. Thus, an attacker can easily impersonate the server to steal the user’s secret information in these schemes. According to the mutual authentication with key agreement phase, only the valid user and server can solve the other party’s random points RU and RS in the proposed scheme. That is, both the user and the server can authenticate the other party’s validity. Thus, our scheme supports mutual authentication and it provides the reliability for the user and the server both. According to our investigations, some authentication schemes on ECC (Cao et al., 2008; Chen and Song, 2007; Jia et al., 2006; Wu et al., 2005) do not provide the session key agreement for the users and the server. Thus, theses schemes can be only applied to remote login systems. However, our scheme not only accomplishes the mutual authentication but also provides a session key between the user and the server. That is, our scheme can be applied to many applications, such as on-line shopping and pay-TV. In these applications,

Fig. 1 – Mutual authentication with key agreement phase.

142

computers & security 28 (2009) 138–143

a session key is necessary for the subsequent communications between the user and the server after they complete the mutual authentication. Therefore, the proposed scheme provides flexibility for many applications in electronic transactions. In the proposed scheme, the authentication key AIDU ¼ qS $H1 ðIDU Þ˛GP is constructed by user’s identity IDU and the server’s secret key qS. That is, whatever the number of users is, the server only keeps its secret key qS and uses the user’s identity to compute AIDU for user authentication. While a new user is added in the system, the server does not need to keep his password or public key in the storage space. Therefore, the proposed scheme provides high scalability for the user addition such that it is very practical for the applications with large number of users.

4.

The discussions

In this section, we discuss the security of the proposed scheme and the comparisons of some related schemes. Now, we present some possible attacks to analyze the security of the proposed scheme.

4.1.

Security analyses

4.1.1.

Outsider attack

Assume that an attacker wants to derive the secret information in the system, and then he eavesdrops the communications between the user and the server. Thus, the attacker can collect ðIDU ; MU ; RU ; T1 Þ and (MS, Mk, T2). To obtain the user’s authentication key AIDU and the server’s secret key qS, he needs to compute AIDU and qS from MU ¼ RU þ t1 $AIDU or MS ¼ RS þ t2 $qs $QIDU . However, this attack is infeasible because he must face the difficulty of elliptic curve discrete logarithm problem (ECDLP) and the elliptic curve factorization problem (ECFP). According to Subsection 2.1, there is no algorithm to be able to solve these problems. Similarly, the attacker cannot derive the session key k from Mk ¼ (k þ xS)$P because he must face the difficulty of ECDLP.

4.1.2.

Replay attack

Assume that an attacker collects the information once being transferred between the user and the server. Then, the attacker may use the pre-collected information ðMU ; RU Þ to

pretend that he is the user U. Thus, the attacker sends ðIDU ; MU ; RU ; T01 Þ to the server, where T01 denotes the current time. However, this attack cannot work since MU ¼ RU þ t1 $AIDU is generated by the past time t1 ¼ H2(T1) instead of the current time t01 ¼ H2 ðT01 Þ. When the server uses 0 T1 to computes t01 ¼ H2 ðT01 Þ and R0U ¼ MU  qS $t01 $QIDU , the verification equation RU ¼ x0U $P does not hold in Step 2 of the mutual authentication with key agreement phase. This is because MU  qS $t01 $QIDU sMU  qS $t1 $QIDU such that R0U sRU . Similarly, an attacker cannot use the pre-collected information (MS, Mk) to pretend that he is the server S because MS contains the past timestamp T2. Therefore, the replay attack is infeasible for the proposed scheme.

4.1.3.

Impersonation attack

Assume that an attacker wants to impersonate a legal user U, and he randomly chooses R00U ¼ ðx00U ; y00U Þ˛Ep ða; bÞ and A00IDU to compute M00U ¼ R00U þ t1 $A00IDU and R00U ¼ x00U $P. Then, the attacker sends ðIDU ; M00U ; R00U ; T1 Þ to the server for authentication. However, the server cannot obtain R00U ¼ ðx00U ; y00U Þ from R0U ¼ M00U  qS $t1 $QIDU ¼ M00U  t1 $AIDU since M00U is generated by A00IDU instead of AIDU . Because of R00U sx0U $P, the attacker can be found that he is an illegal user by the server. Similarly, an attacker cannot impersonate the valid server because he does not know the server’s secret key qS. Therefore, it is impossible to perform the impersonate attack on our scheme.

4.2.

Comparisons

Table 1 shows the comparisons of our scheme and the previous authentication schemes on ECC. For simplicity, the computation costs of Table 1 do not include the certificate computations and pairings computations. Note that if the scheme requires certificate computations or pairings computations, its computation costs in practice are larger than those in Table 1. According to Table 1, our scheme not only provides mutual authentication but also supports a session key agreement. Moreover, our scheme does not need to perform the certificate computations and pairings computations. Moreover, the computation costs and the number of communication rounds of our scheme is less than those of the other schemes as shown in Table 1. From the above descriptions, we conclude that our scheme is more efficient and practical than the related schemes for the users of mobile devices.

Table 1 – Comparisons of the related works. Properties

Mutual authentication Key agreement Certificate computations Pairings computations Computation costs Communication rounds

Schemes Tian et al. (2005), Hankerson et al. (2004)

Wu et al. (2005), Shamir (1984)

Yes Yes Yes NO 3PM þ 1PA þ 1SD 4

No No No Yes 3PM þ 1PA 2

Jia et al. (2006) No No Yes Yes 4PM þ 1PA 2

Abichar et al. (2007), Rivest et al. (1978) Yes Yes Yes No 2PM þ 2PA þ 1MM 3

Ours Yes Yes No No 3PM þ 2PA 2

PM: Elliptic curve point multiplication; PA: Elliptic curve point addition; SD: Symmetric-key decryption; MM: Modular multiplication.

computers & security 28 (2009) 138–143

5.

Conclusions

In this paper, we propose an ID-based remote mutual authentication scheme on ECC. Based upon ID-based concept, the proposed scheme does not require additional computations for certificate. In addition, the proposed scheme is not constructed by bilinear-pairings, which is an expensive operation on elliptic curve. According to the comparisions in Subsection 4.2, the proposed scheme is more efficient and practical than the related works. In the future, we will investigate a remote mutual authentication scheme on ECC in multi-server environments such that it can be applied to more applications in electronic transactions.

references

Abichar PE, Mhamed A, Elhassan B. A fast and secure elliptic curve based authenticated key agreement protocol for low power mobile communications. In: Proceedings of the 2007 international conference on next generation mobile applications, services and technologies; 2007. p. 235–40. Cao X, Kou W, Dang L, Zhao B. IMBAS: identity-based multi-user broadcast authentication in wireless sensor networks. Computer Communications 2008;31:659–67. Chen ZG, Song XX. A distributed electronic authentication scheme based on elliptic curve. In: Proceedings of the sixth international on machine learning and cybernetics; 2007. p. 2179–182. Choie YJ, Jeong E, Lee E. Efficient identity-based authenticated key agreement protocol from pairings. Applied Mathematics and Computation 2005;162:179–88. ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information 1985;IT-31:469–72. Hankerson D, Menezes A, Vanstone S. Guide to elliptic curve cryptography. New York, USA: LNCS, Springer-Verlag; 2004. Jia Z, Zhang Y, Shao H, Lin Y, Wang J. A remote user authentication scheme using bilinear pairings and ECC. In: Proceedings of the sixth international conference on intelligent system design and applications; 2006. p. 1091–94. Jiang C, Li B, Xu H. An efficient scheme for user authentication in wireless sensor networks. In: Proceedings of 21st international conference on advanced information networking and applications workshops; 2007. p. 438–42. Koblitz N. Elliptic curve cryptosystem. Mathematics of Computation 1987;48:203–9. Li F, Xin X, Hu Y. Identity-based broadcast signcryption. Computer Standard and Interfaces 2008;30:89–94.

143

Liao YP, Wang SS. A secure and efficient scheme of remote user authentication based on bilinear pairings. In: Proceedings of 2007 IEEE region 10 conference; 2007. p. 1–4. Miller VS. Use of elliptic curves in cryptography. In: Advances in cryptology, proceedings of CRYPTO’85, vol. 218. LNCS, Springer-Verlag; 1986. p. 417–26. Rivest RL, Shamir A, Adleman L. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM 1978;21(2):120–6. Shamir A. Identity based cryptosystems and signature schemes. In: Proceedings of CRYPTO’ 84. LNCS, Springer-Verlag; 1984. p. 47–53. Tian X, Wong DS, Zhu RW. Analysis and improvement of authenticated key exchange protocol for sensor networks. IEEE Communications Letters 2005;9(11):970–2. Wu ST, Chiu JH, Chieu BC. ID-based remote authentication with smart cards on open distributed system from elliptic curve cryptography. In: Proceedings of IEEE international conference on electro information technology; 2005.

Jen-Ho Yang received the BS degree in computer science and information engineering from I-Shou University, Kaoshiung, Taiwan in 2002. He is currently pursuing his Ph.D. degree in computer science and information engineering from National Chung Cheng University, Chiayi, Taiwan. His current research interests include electronic commerce, information security, cryptography, mobile communications, and fast modular multiplication algorithm.

Chin-Chen Chang received his BS degree in applied mathematics in 1977 and the MS degree in computer and decision sciences in 1979, both from the National Tsing Hua University, Hsinchu, Taiwan. He received his Ph.D in computer engineering in 1982 from the National Chiao Tung University, Hsinchu, Taiwan. Since February 2005, he has been a Chair Professor of Feng Chia University. In addition, he has served as a consultant to several research institutes and government departments. His current research interests include database design, computer cryptography, image compression and data structures.