Available online at www.sciencedirect.com

ces 31 (2009) 181–185www.elsevier.com/locate/csi

Computer Standards & Interfa

An improved bilinear pairing based remote user authentication scheme

Thulasi Goriparthi a,1, Manik Lal Das b,1, Ashutosh Saxena c,⁎,1

a University of Hyderabad, Gachibowli, Hyderabad 500046, Indiab Dhirubhai Ambani Institute of Information and Communication Technology, Gandhinagar, Ahmedabad 382007, India

c SETLabs, Infosys Technologies Limited, Hyderabad DC, Survey No.210, Lingampally, Hyderabad 500019, India

Received 18 April 2006; received in revised form 31 October 2007; accepted 18 November 2007Available online 5 December 2007

Abstract

Recently Das et al. proposed a novel remote user authentication scheme using bilinear pairings. Chou et al. identified a weakness in Das et al.'sscheme and made an improvement. In this paper, we show that both Das et al.'s and Chou et al.'s schemes are insecure against forgery and replayattacks. We proposed an improved scheme that overcomes the security flaws without affecting the merits of the original scheme.© 2007 Elsevier B.V. All rights reserved.

Keywords: Authentication; Bilinear pairings; Smart Card; Password; Timestamp

1. Introduction

Remote User Authentication scheme allows the authenticateduser to access the services offered by the remote system. Lamport[1] introduced the first well-known hash-based passwordauthentication scheme, but the scheme suffers from high hashcomputation overhead and password resetting problems. There-after, many authentication schemes have been proposed based onhashed password [2–7] and on public key cryptography [4,5,8–12]. It is observed that, many times, a paper typically breaks aprevious scheme and proposes a new one [4,5,7,13,16], whichsomeone breaks later and, in turn, proposes a new one, and so on.Most of such work, though quite important and useful, essentiallyprovides an incremental advance to the same basic theme [14].

Recently, Das et al. [6] proposed a remote user authenticationscheme using bilinear pairings. In their scheme, timestamps areused to avoid replay attacks while sending the login request overa public channel. Chou et al. [15] identified that the verification

⁎ Corresponding author.E-mail addresses: thulasi@dcis.uohyd.ernet.in (T. Goriparthi),

maniklal.das@ieee.org (M. Lal Das), ashutosh_saxena01@infosys.com(A. Saxena).1 Part of this work was done when all authors were affiliated to Secure

Technology Lab., Institute for Development and Research in BankingTechnology, Hyderabad 500057, India, and acknowledge it.

0920-5489/$ - see front matter © 2007 Elsevier B.V. All rights reserved.doi:10.1016/j.csi.2007.11.016

of Das et al.'s scheme involves subtraction of two components,which are passed over a public channel and can lead to replayattack. The replay attack can be performed by adding the sameinformation to the two components while still retaining a validverification. To overcome replay attack, Chou et al. suggested amodification in the verification part of Das et al.'s scheme.However, we observed that the modified scheme by Chou et al.still suffer from the replay attack. This paper cryptanalyzes Daset al.'s and Chou et al.'s schemes and then proposes an improvedscheme, which is resilient to the forgery and replay attacks.

The organization of the paper is as follows. In Section 2, wepresent the preliminaries of bilinear pairings, complexityassumptions and notations used in the paper. In Section 3,Das et al.'s scheme is briefly reviewed. Chou et al.'s attack onDas et al.'s scheme is reviewed in Section 4. In Section 5, wecryptanalyze the Chou et al.'s and Das et al.'s schemes. Section6 presents our scheme. Section 7 analyses the security of theproposed scheme. We conclude the paper in Section 8.

2. Preliminaries

2.1. Relevance to the computer standards

User authentication is a common practice to verify usersbefore allowing access to enterprise/server resource. Password-based authentication system plays an important role for

182 T. Goriparthi et al. / Computer Standards & Interfaces 31 (2009) 181–185

user authentication, but due to dictionary attack of memorizedpassword, now-a-days, password and a token combination actsas a secure authentication mechanism, which is termed as “two-factor authentication” [19], adopted by several industry,academia and Government agencies. In contrast, public key-based authentication technique [17] has already been applied invarious applications, such as Secure Socket Layers [20], PrettyGood Privacy [18], etc. As a consequence, user authenticationis a de-facto standard and requirement in computer and infor-mation systems, ranging from boarder security to consumerelectronics.

2.2. Bilinear pairings

Let G1 be an additive cyclic group of prime order q and G2

be the multiplicative cyclic group of the same order. Practicallywe can think of G1 as a group of points on an elliptical curveover Zq⁎, and G2 as a subgroup of the multiplicative group of afinite field Z 4

qk for some k∈Zq⁎. Let P be a generator of G1. A

bilinear pairing is a map e:G1×G1→G2 having the followingthree properties:

Bilinear: e(aP,bQ)=e(P,Q)ab, for all P,Q∈G1 and a,b,∈Zq⁎.

Non-degenerate: For all P, where P is not a generator, thereexists Q∈G1 such that e(P,Q)≠1.

Computable: e(P,Q) is computable in polynomial time.

2.3. Complexity assumptions

Discrete Logarithm Problem (DLP): Given two elements P,Q∈G1 find an integer a∈Zq

⁎, such that Q=aP whenever suchan integer exists.

Computational Diffie–Hellman Problem (CDHP): Given (P,aP,bP) for any a,b∈Zq⁎, compute abP.

Decisional Diffie–Hellman Problem (DDHP): Given (P, aP,bP, cP) for any a,b,c∈Zq⁎, decide whether c = ab mod q.

G1 is a GDH group if there exists an efficient polynomialtime algorithm which solves the DDHP in G1 and there is noprobabilistic polynomial time algorithm which solves theCDHP in G1 with non negligible probability of success.

Bilinear Diffie–Hellman Problem (BDH): Given (P, aP, bP,cP) for any a,b,c∈Zq⁎, compute e(P,P)abc.

2.4. Notations

The notations used through out the paper are as follows.

U UserID Identity of UPW Password of URS Remote ServerH:{0,1}⁎→G1 A map-to-point hash function.P Generator of G1

S Secret key of RSPpub Public key of RS, where Ppub= sPh;{0,1}⁎→Zq⁎ One way hash function|| Concatenation operation

3. Review of Das et al.'s scheme

In this section, we briefly review Das et al.'s scheme. Thescheme consists of four different phases and they work asfollows

3.1. Registration phase

R1. U submits his identity ID and password PW to the RSR2. RS computes Re gID= sH(ID) + H(PW)R3. RS personalizes smart card with ID, Re gID, H(.) and

sends the smart card to U in a secure manner.

3.2. Login phase

L1. U inserts smart card in a terminal and submits ID and PW.L2. Smart card computes DID=T Re gID and V=TH(PW )L3. Sends login request bID,DID,V,T N to RS over a public

channel where T is the user system's timestamp.

3.3. Verification phase

V1. RS receives bID,DID,V,TN at time T⁎ and verifies thevalidity of the time interval between T⁎ and T, bychecking if (T⁎−T )≤ΔT. If it holds, checks whethere(DID-V,P) = e(H(ID),Ppub)

T. If both checks hold, RSaccepts the login request, rejects otherwise.

3.4. Password change phase

P1. U inserts smart card in a terminal and submits ID andpassword PW. Smart card verifies the entered ID with thestored one in the smart card. If ID is matched, it promptsU for a new password. U submits a new password PW⁎.

P2. Smart card computes Re gID⁎ =Re gID-H(PW)+H(PW⁎)=sH(ID)+H(PW⁎)

P3. Smart card replaces the previously stored Re gID byRe gID⁎

4. Chou et al.'s attack on Das et al.'s scheme

Chou et al. pointed out that the verification in Das et al.'sscheme e(DID-V,P) = e(H(ID),Ppub)

T holds valid even withDID′ = DID + a and V′ = V + a where a∈G1, as shownbelow.

e DID V� V V;PÞ ¼ eðDID� V ;PÞ ¼ eðHðIDÞ;PpubÞT�

To avoid this, Chou et al. proposed a modified verificationtechnique as e(DID,P) = e(TsH(ID) + V,P) to overcome thedefect in verification of Das et al.'s scheme.

5. Cryptanalysis of Chou et al.'s and Das et al.'s schemes

Chou et al. identified that the verification of Das et al.'sscheme involves subtraction of two components, which arepassed over the public channel leading to replay attack. The

Table 1Performance comparison of the schemes

Registration Login Verification PasswordChange

Das et al.'sscheme

2H, 1Sm, 1Pa 1H, 2Sm 2P, 1H, 1Pa, 1E 2H, 2Pa

Our Scheme 2H, 1Sm, 1Pa 1R, 1H, 1Pa,2Sm, 1h, 1Sa, 2C

2P, 1H, 1h,1Pa, 1Sm, 2C

2H, 2Pa

P: Pairing operation.H: Map-To-Point hash operation.Pa: Point addition.Sm: Scalar multiplication of a point h: one-way hash function.E: Exponentiation.Sa: Addition of scalar quantities.R: Random number generation.C: Concatenation of two scalar entities.h: one-way hash function.

183T. Goriparthi et al. / Computer Standards & Interfaces 31 (2009) 181–185

replay attack can be performed by adding the same informationto the two components while still retaining a valid verification.To overcome replay attack, they suggested a modification inverification part of Das et al.'s scheme, however we observedthat the modified scheme also suffers from the replay attack. Inthis section, we cryptanalyze, Chou et al.'s and Das et al.'sschemes.

5.1. Cryptanalysis of Chou et al.'s scheme

The verification in Das et al.'s scheme is modified by Chouet al. as e(DID,P) = e(TsH(ID) + V,P). We note that thisverification also holds valid for DID′ = DID + a′ and V′ = V +a′ where a′∈G1, as shown below.

e DID V;Pð Þ ¼ e DIDþ a V;Pð Þ¼ e TsH IDð Þ þ V þ a V;Pð Þ¼ e TsH IDð Þ þ V V;Pð Þ

Thus the approach of Chou et al., by adding Von the rightside of the equality instead of left side, cannot overcome theproblem.

5.2. Cryptanalysis of Das et al.'s scheme

In addition to the flaw in Das et al.'s scheme, identified byChou et al., we also noticed a major weakness in Das et al.'sscheme as following.

5.2.1. Forgery attackOur attack is based on the following assumption that given P

and Ppub = sP, finding s is a Discrete Logarithm Problem butgiven s and sP, it is feasible to compute P in finite time.

In the login phase, the tuple bID,DID,V,TN is being sent toRS over a public channel. Any attacker tapping this messagecan compute a valid tuple b ID,DID′,V′,T′ N as follows.

The attacker computes T−1, and gets Re gID and H(PW) bythe following.

Re gID ¼ T�1DID

and

H PWð Þ ¼ T�1V

Now, the attacker can form the valid tuple b ID,DID′,V′,T′ Nfor time stamp T′ computing DID′ = T′.Re gID, V′ = T′H(PW).

Thus, the attacker can forge a user many times just byintercepting one valid login request of the user.

5.2.2. Weakness in password change phaseIn the password change phase, U submits ID, old password

PW and new password PW⁎ but there is no validation of theold password. This leads to anyone knowing the ID and havingthe smart card can change Re gID in the smart card.

6. Our scheme

In this section, we present an improvement of Das et al.'sscheme. Similar to other schemes our scheme also consists of

four phases namely Registration; Login; Verification andPassword Change Phases and the phases work as follows.

6.1. Registration Phase

R1. U submits his identity ID and password PWto the RSR2. RS computes Re gID= sH(ID)+H(PW)R3. RS personalizes smart card with ID, Re gID, H(.), h(.) and

hands it to U securely.

6.2. Login phase

L1. U inserts smart card in a terminal and submits ID and PW.L2. After validating the ID, the smart card computes V(Vx,Vy) =rPpub

DID ¼ r þ h T jjVxjjVy

� �� �RegID � H PWð Þ½ �

and sends login request bID,DID,V,TN to RS over a publicchannel where T is the user system's timestamp and r is therandom number generated by the smart card.

6.3. Verification phase

V1. RS receives bID,DID,V,TN at time T⁎ and verifies thevalidity of the time interval between T⁎ and T, bychecking if (T⁎−T)≤ΔT. If it holds, checks whether e(DID, P)=e(H(ID), V+h(T||Vx||Vy)Ppub). If both checkshold valid, RS accepts the login request, rejects otherwise.

6.4. Password change phase

P1. U inserts smart card in a terminal and submits ID andpassword PW.

P2. Smart card produces a warning signal to the user toproceed only if the user knows the old password.

P3. Smart card verifies the entered ID with the stored one inthe smart card. If ID is matched, it prompts U for a newpassword. U submits a new password PW⁎.

184 T. Goriparthi et al. / Computer Standards & Interfaces 31 (2009) 181–185

P4. Smart card computesRegID⁎=Re gID−H(PW)+H(PW⁎) =s.H(ID) +H(PW⁎) and replaces the previously stored Re gIDby Re gID⁎

7. Correctness, performance and security of theimproved scheme

7.1. Correctness

The validity of a login request is verified by the following.

e DID;Pð Þ ¼ e r þ h T jjVxjjVy

� �� �Re gID� H PWð Þð Þ;P� �

¼ e r þ h T jjVxjjVy

� �� �sH IDð Þð Þ;P� �

¼ e H IDð Þ; r þ h T jjVxjjVy

� �� �sP

� �¼ e H IDð Þ; rPpub þ h T jjVxjjVy

� �Ppub

� �¼ e H IDð Þ;V þ h T jjVxjjVy

� �Ppub

� �

7.2. Performance

We compare the phase wise performance of our scheme withthat of Das et al.'s scheme and present in the Table 1. TheRegistration and Password Change phases require same com-putational efforts in both schemes. However, the Login andVerification phases of our scheme require one random numbergeneration, two hash operations, one point addition, four con-catenations and one scalar addition and three scalarmultiplicationsextra, whereas, the verification does not require exponentiation.

7.3. Security

Here, we show that the proposed scheme can withstand re-play, forgery and insider attacks as below.

Replay attack: Suppose an adversary replays an interceptedvalid login request and the RS receives the request at time Tnew.The attack cannot work because it fails in the verification phaseas the time interval (Tnew−T) exceeds the expected transmissiondelay ΔT.

Forgery attack: A valid user login request consists of b ID,DID, V, T N, where V = r Ppub and DID=(r+h(T||Vx||Vy))[Re gID−H(PW )]. Re gID is securely stored in smart card by RSat the time of user registration process and it is difficult toextract Re gID from the smart card. Further, an adversary cannotconstruct a valid Re gID= s.H(ID)+H(PW) without the knowl-edge of RS's secret keys and user's password. If an adversaryintercepts a valid login requestbID,DID,V,T N, he cannot resendit later, by changing the timestamp as it fails in the verificationphase. If a valid smart card is stolen, the unauthorized usercannot login to the RS as he does not know the password of thecard owner. Furthermore, an adversary cannot create a validtuple bID,DID′,V′,T′N by intercepting a valid login requestbID,DID,V,T N, as DID consists of secret information sH(ID),which cannot be separated without knowing the random numberr. To find r from V= rPpub, is equal to solving Discrete Loga-rithm Problem, which is considered to be a hard problem.Adversary cannot change V without changing DID, as DIDincludes h(T||Vx||Vy). So we claim that our scheme is strongagainst forgery attack.

Insider attack: In many scenarios, the user uses a commonpassword to access several systems for his convenience. If theuser login request is password-based and the RS maintainspassword or verifier table for login request verification, aninsider of RS can impersonate user's login by stealing passwordand can get access to the other systems. In our scheme, the RSdoes not maintain any password or verifier table, thus an insidercannot get the user password.

Though, the user submits his password to RS during theregistration process, he can change his password withoutthe help of RS by invoking the password change phase afterregistration, thereby the scheme can withstand the insiderattack.

8. Conclusion

In this paper, we analyzed both Das et al.'s and Chou et al.'sschemes and found that both the schemes are insecure againstforgery attack, replay attack and insider attack. We proposed animprovement of Das et al.'s scheme to overcome the flaws,without much extra computational cost as evident from theTable 1. The improved scheme can also consider another flavoras following: (i) instead of using concatenation and thenhashing, a single hash function which takes a scalar from finitefield and a point from elliptic curve group and outputs a scalar infinite field can be defined and used; (ii) in order to stronglyverify the user in the password change phase, password can bestored in the smart card securely. Our future work is in thedirection to provide online registration for the smart card byusers and thus completely removing the requirements of offlinecommunication with server.

References

[1] L. Lamport, Password authentication with insecure communication, Com-munications of the ACM 24 (11) (1981) 770–772.

[2] A. Shimizu, T. Horioka, H. Inagaki, A password authentication method forcontents communications on the Internet, IEICE Transactions on Com-munications E81-B (8) (1998) 1666–1673.

[3] T.C. Yeh, H.Y. Shen, J.J. Hwang, A secure one-time password authentica-tion scheme using smart cards, IEICE Transactions on CommunicationsE85-B (11) (2002) 2515–2518.

[4] C.C. Lee, M.S. Hwang, W.P. Yang, A flexible remote user authenticationscheme using smart cards, ACM Operating Systems Review 36 (3) (2002)46–52.

[5] C.C. Lee, L.H. Li, M.S. Hwang, A remote user authentication scheme usinghash functions, ACM Operating Systems Review 36 (4) (2002) 23–29.

[6] M.L. Das, A. Saxena, V.P. Gulati, A dynamic ID-based remote userauthentication scheme, IEEE Transactions on Consumer Electronics 50 (2)(2004) 629–631.

[7] W.C. Ku, A hash-based strong-password authentication scheme with-out using smart cards, ACM Operating Systems Review 38 (1) (2004)29–34.

[8] C.C. Chang, W.Y. Liao, A remote password authentication scheme basedupon ElGamal's signature scheme, Computers & Security 13 (2) (1994)137–144.

[9] D.P. Jablon, Strong password-only authenticated key exchange, ACMComputer Communications Review 26 (5) (1996) 5–20.

[10] M.S. Hwang, L.H. Li, A new remote user authentication scheme usingsmart cards, IEEE Transactions on Consumer Electronics 46 (1) (2000)28–30.

185T. Goriparthi et al. / Computer Standards & Interfaces 31 (2009) 181–185

[11] J.J. Shen, C.W. Lin, M.S. Hwang, A Modified remote user authenticationscheme using smart cards, IEEE Transactions on Consumer Electronics49 (2) (2003) 414–416.

[12] A.K. Awasthi, S. Lal, A remote user authentication scheme using smartcards with forward secrecy, IEEE Transactions on Consumer Electronics49 (4) (2003) 1246–1248.

[13] B.T. Hsieh, H.M. Sun, T. Hwang, On the security of some passwordauthentication protocols, Informatica 14 (2) (2003) 195–204.

[14] M. Peyravian, N. Zunic, Methods for protecting password transmission,Computers & Security 19 (5) (2000) 466–469.

[15] J.S. Chou, Y. Chen, J.Y. Lin, Improvement of Das et al.'s remote userauthentication scheme, http://eprint.iacr.org/2005/450.pdf.

[16] M.L. Das, A. Saxena, V.P. Gulati, D.B. Phatak, A novel remote userauthentication schemeusing bilinear pairings. Computers&Security (In Press).

[17] IEEE P1363.2 Draft D12, Standard specifications for password-basedpublic key cryptographic techniques, IEEE P1363 working group, 2003.

[18] OpenPGP, An Open Specification for Pretty Good Privacy, http://www.ietf.org/html.charters/openpgp-charter.html.

[19] SecureID, Secure Identity, http://www.rsa.com/node.aspx?id=1156.[20] SSL, Secure Socket Layer (SSL) Specification 3.0. http://wp.netscape.

com/eng/ssl3/.

Thulasi Goriparthi completed her Masters in Com-puter Science from the University of Hyderabad in2006. Presently, she is working as a software engineer

with Cavium Networks (India) Pvt. Ltd., Hyderabad.Her research interests are Cryptography and ComputerNetworks.

Manik Lal Das received his Ph.D. from Indian

Institute of Technology, Bombay in 2006. Currently, he is an Assistant Professor in Dhirubhai AmbaniInstitute of Information and Communication Technol-ogy, India. He is a member of IEEE and CryptologyResearch Society of India, and Technical committeemember of IEEE Communications and InformationSecurity. His research interests include Computer andNetwork Security and Wireless Sensor Networks.

Dr. Ashutoh Saxena completed his Ph.D. ComputerScience in 1996 and Post Doctoral work in 2002 fromISRC, QUT, Brisbane. He has authored more than 70research articles and also a book on “PKI: Concepts,Design and Deployment" published by Tata McGrawHill. Currently he is a Principal Researcher and leadingthe Application Security and Privacy group inSETLabs of Infosys Technologies Limited. For eight

years he worked as a Professor with the Institute forDevelopment and Research in Banking Technology,ank of India at Hyderabad. He served as a Program R&D arm of Reserve B

Committee member in many International Conferences. He is also in the Boardof Editors for International Journal on Information and Management, ElsevierPublication. His research interests include Authentication Technologies, SmartCards, Key Management and Privacy.