A User Authentication Scheme Based on Elliptic Curves Cryptography for Wireless Ad Hoc Networks

Abstract

The feature of non-infrastructure support in a wireless ad hoc network (WANET) makes it suffer from various attacks. Moreover, user authentication is the first safety barrier in a network. A mutual trust is achieved by a protocol which enables communicating parties to authenticate each other at the same time and to exchange session keys. For the resource-constrained WANET, an efficient and lightweight user authentication scheme is necessary. In this paper, we propose a user authentication scheme based on the self-certified public key system and elliptic curves cryptography for a WANET. Using the proposed scheme, an efficient two-way user authentication and secure session key agreement can be achieved. Security analysis shows that our proposed scheme is resilient to common known attacks. In addition, the performance analysis shows that our proposed scheme performs similar or better compared with some existing user authentication schemes.

1. Introduction

Wireless ad hoc network (WANET) is a decentralized type of wireless network. It has widely practical applications, such as tactical communication, emergency communication, temporary communication, and so on. However, the WANET is vulnerable to various attacks due to the absence of infrastructure support [1]. Security of the WANET is critical for its deployment and management. Moreover, the user authentication is the first safety barrier in a network. That is, each node needs to ensure that the peer node with which it is communicating is he/she claims. On the other hand, wireless devices have limited computation capability, memory and energy. For the resource-constrained WANET, an efficient and lightweight user authentication scheme is necessary.

Many user authentication schemes have been proposed for the WANET in recent years. In [2], Bechler, M. et al. proposed a cluster-based user authentication scheme, where a cluster head controls the cluster. Since the cluster structure is useful for enhancing the scalability, the cluster-based authentication scheme is more suitable for large-scale networks. However, this scheme is exposed to the single point of failure since all cluster members depend on the cluster head. A distributed key management and user authentication approach is proposed in [3], where the concepts of identity-based key cryptography and threshold secret sharing are used. This approach works in a self-organizing way to provide the key generation and management service, and effectively solves the single point of failure problem. However, the security is breached when a threshold number of shareholders are compromised. Other user authentication schemes were proposed in [4] and [5], where a certificate server (CS) is used to issue user’s certificate and public key. In addition, users perform the identity authentication with the assistance of CS. However, the CS is hard to be set up because of the dynamics of nodes in WANETs. Moreover, if the identity authentication needs the help of CS, the storage and management requirements of certificates increase the burden for CS.

Most user authentication schemes mentioned above use the public key infrastructure (PKI) [6] or the identity-based public key cryptosystem (ID-PKC) [7]. However, the high complexity for certificates in PKI increases the system burden greatly. In addition, the key escrow problem of ID-PKC is also a serious problem.

Unlike the prior work, the self-certified public key (SCPK) cryptosystem [8] is another kind of scheme. In this scheme, certificate authority (CA) embeds its signature in user’s public key, and computes user’s private key cooperatively with users. The advantage of the SCPK scheme is that the authenticity of a user’s public key can be verified publicly without using any certificate issued by the CA and the private key known to the user only. Hence, this scheme does not need the digital certificates as in the PKI scheme, as well as avoids the key escrow problem of the ID-PKC scheme.

Compared with RSA, one of most widely accepted and traditional public key cryptographies, elliptic curves cryptography (ECC), has attracted considerable attention due to its smaller key size and lower resource consumption for achieving the same security level. This is because the addition operation in ECC is the counterpart of modular multiplication in RSA, and multiple addition is the counterpart of modular exponentiation. Furthermore, ECC is based on the intractability of the elliptic curve discrete logarithm problem (ECDLP). That is, finding an effective and rapid solution to the ECDLP is still a hard problem [9].

Hence, the user authentication scheme based on SCPK and ECC is a feasible alternative for resource-constrained wireless networks, such as WANET, mobile ad hoc networks and wireless sensor networks. Several user authentication schemes using SCPK and ECC have been proposed [10,11,12]. In [10], a distributed user authentication scheme based on SCPK was presented. In this scheme, each user gets his/her public/private key from CA through a secure communication channel. However, providing a secure communication channel in a wireless network is not a trivial thing. A user authentication and key agreement scheme was proposed in [11], where the timestamp mechanism is used to resist the replay attack. However, it is a difficult task to maintain time synchronization in a WANET. In addition, the session key cannot resist key compromise impersonation attack in this scheme. In [12], a novel self-certified secure access authentication protocol was proposed. In this scheme, a challenge-response mechanism is adopted to resist the replay attack. However, the user’s private key can be compromised easily.

In this paper, we propose a user authentication scheme based on SCPK and ECC for a WANET. In order to reduce the computational complexity, the SCPK proposed in [13] is modified using ECC. The proposed user authentication scheme consists of three phases, namely the setup phase, the user registration phase, and the user authentication phase. CA selects and generates the global system parameters, and publishes them to the whole network in the setup phase. Users register with CA to obtain the private/public key pairs for authentication in the user registration phase. In the user authentication phase, users complete their identities authentication using their private/public keys and the CA’s public key. Finally, we analyze the performance of the proposed user authentication scheme, in terms of the security, the storage overhead, the communication overhead and the computation overhead. Analysis results show that our proposed scheme achieves efficient two-way user authentication and secure session key agreement. Hence, the proposed scheme is efficient, and suitable for the resource-constrained WANET.

Our proposed user authentication scheme differs from other existing user authentication schemes in [10,11,12] are: (1) A secure communication channel for distributing user’s public/private key does not need; (2) A modified challenge-response mechanism is adopted to resist the replay attack; (3) The authentication mechanism between user and CA in the user registration phase is used to resist the user masquerade attack.

The remainder paper is organized as follows. In Section 2, the system model for the proposed user authentication scheme is introduced. In Section 3, the proposed user authentication scheme based on SCPK and ECC is presented. The security and performance of the proposed scheme are analyzed in Section 4 and Section 5, respectively. Finally, we conclude the paper in Section 6.

2. System Model

Figure 1 shows the system architecture for our proposed user authentication scheme.

In this system, a CA is deployed to generate user’s private/public key pairs cooperatively with users. Each user knows the public key of the CA. With the public key of CA, each user can verify the peer user’s identity with whom he/she is communicating.

To clarify the proposed user authentication scheme, notations and their denotations are summarized in Table 1.

Figure 1. The system architecture of the proposed user authentication scheme in a wireless ad hoc network (WANET).

Figure 1. The system architecture of the proposed user authentication scheme in a wireless ad hoc network (WANET).

Table 1. Notations and their denotations.

Notations	Denotations
p	A large prime number
GF(p)	The finite field
a, b	The elliptic curve parameters, real numbers
Ep(a, b)	The elliptic curve over GF(p) consisting of the elliptic group of points defined by $y^2=x^3+ax+b(\mathrm{mod}p)$, where $(4a^3+27b^2)\mathrm{mod}p\ne 0$
G	A base point (x, y) selected on Ep(a, b) with a large order
n	The order of point G, where n is the smallest positive integer such that $nG=O$ (infinity point), and n is a large prime number
SHA(•)	A one-way hash function
sCA	The private key of CA
PCA	The public key of CA
NCA	A nonce randomly generated by CA from [2, n−2]
Ni	A nonce randomly generated by Ui from [2, n−2]
si	The private key of Ui
Pi	The public key of Ui
IDi	The identity of Ui
signaturei	The signature of Ui
MICi	The massage integrity code of the message generated by Ui
⊕	The simple exclusive-OR operation
||	The message concatenation operation

Table 1. Notations and their denotations.

Notations	Denotations
p	A large prime number
GF(p)	The finite field
a, b	The elliptic curve parameters, real numbers
Ep(a, b)	The elliptic curve over GF(p) consisting of the elliptic group of points defined by $y^2=x^3+ax+b(\mathrm{mod}p)$, where $(4a^3+27b^2)\mathrm{mod}p\ne 0$
G	A base point (x, y) selected on Ep(a, b) with a large order
n	The order of point G, where n is the smallest positive integer such that $nG=O$ (infinity point), and n is a large prime number
SHA(•)	A one-way hash function
sCA	The private key of CA
PCA	The public key of CA
NCA	A nonce randomly generated by CA from [2, n−2]
Ni	A nonce randomly generated by Ui from [2, n−2]
si	The private key of Ui
Pi	The public key of Ui
IDi	The identity of Ui
signaturei	The signature of Ui
MICi	The massage integrity code of the message generated by Ui
⊕	The simple exclusive-OR operation
||	The message concatenation operation

3. The Proposed User Authentication Scheme

In this section, a user authentication scheme based on SCPK and ECC for a WANET is presented.

The proposed scheme is divided into three phases, namely the setup phase, the user registration phase, and the user authentication phase. In the setup phase, CA generates the system parameters and publishes them to users. In the user registration phase, users obtain their private/public key pairs by registering with CA. In the user authentication phase, users complete their identities authentication with the help of their private/public keys and the public key of CA.

The detail of the proposed user authentication scheme is described as follows.

3.1. The Setup Phase

We adopt an elliptic curve defined over GF(p) is recommended by SEC 2 [14]. First, the elliptic curve E_p(a, b) over GF(p) is defined by $y^2=x^3+ax+b(\mathrm{mod }p)$, where a and b are real numbers, and $(4a^3+27b^2)\mathrm{mod}p\ne 0.$ Next, a base point G = (x_G, y_G) with a very large value order is selected on E_p(a, b). The order of G, n, is the smallest positive integer such that $n\cdot G=O$, where O is infinity point. The global parameters of the system, (p, a, b, G, n), are known by all users in networks.

CA randomly chooses an integer $s_{\text{CA}}$, from [2, n−2] as its private key. In addition, CA’s paired public key is generated with:

$${R^{\prime }}_i={r^{\prime }}_i\cdot G$$

(1)

And then, CA publishes P_CA to the whole network, but keeps $s_{\text{CA}}$ as a secret.

3.2. The User Registration Phase

When a user, U_i with identity ID_i, wants to join the system, he/she performs the following operations to register with CA.

First, U_i generates a nonce, N_i, using a pseudo-random number generator (PRNG), and randomly chooses an integer, $r_i^{\prime }$, from [2, n−2]. Then, U_i computes:

$$R_i^{\prime }=r_i^{\prime }\cdot G$$

(2)

And:

$$I{D}_i^{\prime }=I{D}_i\oplus SHA(r_i^{\prime }\cdot P_{\text{CA}})$$

(3)

After that, U_i transmits Message 1$(N_i,R_i^{\prime },I{D}_i^{\prime })$ to CA. That is, ${\text{U}}_i\to \text{CA}:N_i\left|\right|R_i^{\prime }\left|\right|I{D}_i^{\prime }$.

Receiving $(N_i,R_i^{\prime },I{D}_i^{\prime })$ from U_i, CA checks whether the message is fresh according to N_i. If the message has been received, CA discards it and cancels the user registration. Otherwise, CA computes:

$$SHA(s_{\text{CA}}\cdot R_i^{\prime })=SHA(s_{\text{CA}}\cdot r_i^{\prime }\cdot G)=SHA(r_i^{\prime }\cdot P_{\text{CA}})$$

(4)

The user’s identity is extracted by:

$$I{D}_i=I{D}_i^{\prime }\oplus SHA(s_{\text{CA}}\cdot R_i^{\prime })$$

(5)

CA checks ID_i. If ID_i has existed, CA cancels the user registration. Otherwise, CA randomly chooses an integer ${\tilde{r}}_{\text{CA}}$ from [2, n−2], and computes:

$$R_i=R_i^{\prime }+{\tilde{r}}_{\mathrm{CA}}\cdot G$$

(6)

And:

$${\tilde{s}}_i=(s_{\mathrm{CA}}\cdot SHA(I{D}_i\left|\right|R_i.x)+{\tilde{r}}_{\mathrm{CA}})\mathrm{mod}n$$

(7)

where $R_i.x$ is the x-coordinate of the point R_i.

CA generates a nonce, $N_{\text{CA}}$, using a PRNG, and returns Message 2$(N_i,N_{\text{CA}},R_i,{\tilde{s}}_i)$ to U_i. That is, $\text{CA}\to {\text{U}}_i:N_i\left|\right|N_{\text{CA}}\left|\right|R_i\left|\right|{\tilde{s}}_i$.

After receiving $(N_i,N_{\text{CA}},R_i,{\tilde{s}}_i)$ from CA, U_i derives the private key as:

$$s_i={\tilde{s}}_i+r_i^{\prime }=(s_{\text{CA}}\cdot SHA(I{D}_i\left|\right|R_i.x)+{\tilde{r}}_{\text{CA}})\mathrm{mod}n+r_i^{\prime }$$

(8)

And U_i verifies the authenticity of P_i by:

$$P_i=s_i\cdot G=P_{\mathrm{CA}}\cdot [(SHA(I{D}_i||R_i.x))\mathrm{mod}n]+R_i.$$

(9)

If this verification succeeds, U_i accepts P_i as his/her public key.

In the following, we demonstrate why the verification procedure described in (9) works correctly. According to Equations (6)–(8), we obtain:

$$\begin{array}{cc}{s}_i\cdot G& =[(s_{\text{CA}}\cdot SHA(I{D}_i||R_i.x)+{\tilde{r}}_{\text{CA}})\mathrm{mod}n+r_i^{\prime }]\cdot G\hfill \\ & =P_{\text{CA}}\cdot [SHA(I{D}_i\left|\right|R_i.x)\mathrm{mod}n]+{\tilde{r}}_{\text{CA}}\cdot G+r_i^{\prime }\cdot G\hfill \\ & =P_{\text{CA}}\cdot [SHA(I{D}_i\left|\right|R_i.x)\mathrm{mod}n]+R_i.\hfill \end{array}$$

Hence, U_i computes $SHA(N_{\text{CA}}||r_i^{\prime }\cdot P_{\text{CA}})$ and returns Message 3 ($SHA(N_{\text{CA}}||r_i^{\prime }\cdot P_{\text{CA}})$) to CA. That is, ${\text{U}}_i\to \text{CA}:SHA(N_{\text{CA}}||r_i^{\prime }\cdot P_{\text{CA}})$.

Receiving ($SHA(N_{\text{CA}}||r_i^{\prime }\cdot P_{\text{CA}})$), CA computes $SHA(N_{\text{CA}}||s_{\text{CA}}\cdot R_i^{\prime })$ and compares it with $SHA(N_{\text{CA}}||r_i^{\prime }\cdot P_{\text{CA}})$ received from U_i. If $SHA(N_{\text{CA}}||s_{\text{CA}}\cdot R_i^{\prime })$ = $SHA(N_{\text{CA}}||r_i^{\prime }\cdot P_{\text{CA}})$, CA is be convinced that U_i has verified the authenticity of his/her public key. Then, CA stores the registration information in the registration file. If $SHA(N_{\text{CA}}||s_{\text{CA}}\cdot R_i^{\prime })$ ≠ $SHA(N_{\text{CA}}||r_i^{\prime }\cdot P_{\text{CA}})$, CA cancels the user registration.

The interaction diagram of the user registration phase mentioned above is shown in Figure 2.

Figure 2. The user registration phase.

Figure 2. The user registration phase.

After U_i finishes the registration successfully, he/she stores (R_i, ID_i, s_i, P_i). Other users can use G, n, P_CA, R_i and ID_i to construct the public key of U_i, P_i.

3.3. The User Authentication Phase

The user authentication and session key agreement between Alice and Bob operates as follows, where Alice is an initiator and Bob is a responder.

Alice wants to set up a session key with Bob securely.

Step 1:$\text{Alice}\to \text{Bob}:N_{\text{A}}\text{||}C\text{|A}\text{|}I{D}_{\text{A}}\text{||}I{D}_{\text{B}}\text{||}{R}_{\text{A}}\left|\right|signatur{e}_{\text{A}}$

First, Alice generates a nonce, $N_{\text{A}}$, using a PRNG, and randomly chooses an integer, $r_{\text{A}}$, from $[2,n-2]$. Next, Alice computes $C_{\text{A}}=r_{\text{A}}\cdot G$ Then,Alice generates a signature using her private key as:

$$signatur{e}_{\text{A}}=(r_{\text{A}}+s_{\text{A}}\cdot SHA(N_{\text{A}}\left|\right|C_{\text{A}}\left|\right|I{D}_{\text{A}}\left|\right|I{D}_{\text{B}}\left|\right|R_{\text{A}}))\mathrm{mod}n$$

(10)

Thereafter, Alice sends $(N_{\text{A}},C_{\text{A}},I{D}_{\text{A}},I{D}_{\text{B}},R_{\text{A}},signatur{e}_{\text{A}})$ to Bob.

Step 2:$\text{Bob}\to \text{Alice}:N_{\text{A}}\left|\right|N_{\text{B}}\left|\right|C_{\text{B}}\left|\right|I{D}_{\text{B}}\left|\right|I{D}_{\text{A}}\left|\right|R_{\text{B}}\left|\right|MI{C}_{\text{B}}$

Receiving the message from Alice, Bob performs the following operations.

(1) According to $N_{\text{A}}$, Bob checks whether the message is fresh or not. If the message is fresh, Bob goes on the user authentication process. Otherwise, Bob rejects Alice’s authentication request.

(2) Bob computes Alice’s public key as:

$$P_{\text{A}}=P_{\text{CA}}\cdot [(SHA(I{D}_{\text{A}}||R_{\text{A}}.x))\mathrm{mod}n]+R_{\text{A}}$$

(11)

Bob verifies the Alice’s signature as:

$$\begin{array}{cc}signatur{e}_{\text{A}}\cdot G& =[(r_{\text{A}}+s_{\text{A}}\cdot SHA(N_{\text{A}}|\left|C_{\text{A}}\right|\left|I{D}_{\text{A}}\right|\left|I{D}_{\text{B}}\right||R_{\text{A}}))\mathrm{mod}n]\cdot G\hfill \\ & =r_{\text{A}}\cdot G+[(s_{\text{A}}\cdot SHA(N_{\text{A}}|\left|C_{\text{A}}\right|\left|I{D}_{\text{A}}\right|\left|I{D}_{\text{B}}\right||R_{\text{A}}))\mathrm{mod}n]\cdot G\hfill \\ & =C_{\text{A}}+P_{\text{A}}\cdot [(SHA(N_{\text{A}}|\left|C_{\text{A}}\right|\left|I{D}_{\text{A}}\right|\left|I{D}_{\text{B}}\right||R_{\text{A}}))\mathrm{mod}n].\hfill \end{array}$$

If the signature is valid, Alice is a valid user and Bob continues the user authentication process. Otherwise, Bob cancels the user authentication process.

(3) Bob generates a nonce $N_{\text{B}}$, using a PRNG, and randomly chooses an integer $r_{\text{B}}$, from $[2,n-2]$. Next, Bob computes $C_{\text{B}}=r_{\text{B}}\cdot G$. Then, Bob computes the session key,

$$K_{\text{BA}}=SHA((r_{\text{B}}+s_{\text{B}})\cdot (C_{\text{A}}+P_{\text{A}}))$$

(12)

and the message integrity code,

$$MI{C}_{\text{B}}=SHA(K_{\text{BA}}|\left|N_{\text{A}}\right|\left|N_{\text{B}}\right|\left|C_{\text{B}}\right|\left|I{D}_{\text{B}}\right|\left|I{D}_{\text{A}}\right||R_{\text{B}})$$

(13)

Finally, Bob sends $(N_{\text{A}},N_{\text{B}},C_{\text{B}},I{D}_{\text{B}},I{D}_{\text{A}},R_{\text{B}},MI{C}_{\text{B}})$ to Alice.

Step 3:$\text{Alice}\to \text{Bob}:N_{\text{B}}\left|\right|I{D}_{\text{A}}\left|\right|I{D}_{\text{B}}\left|\right|MI{C}_{\text{A}}$

Receiving the response from Bob, Alice executes the following operations.

(1) According to $N_{\text{A}}$, Alice checks whether the message is fresh or not. If the message is fresh, Alice continues the user authentication process. Otherwise, Alice cancels the user authentication process.

(2) Alice construct Bob’s public key as:

$$P_{\text{B}}=P_{\text{CA}}\cdot [(SHA(I{D}_{\text{B}}||R_{\text{B}}.x))\mathrm{mod}n]+R_{\text{B}}$$

(14)

(3) Alice computes the session key as:

$$K_{\text{AB}}=SHA((r_{\text{A}}+s_{\text{A}})\cdot (C_{\text{B}}+P_{\text{B}}))$$

(15)

and the message integrity code as:

$$MI{C}_{\text{B}}^{\prime }=SHA(K_{\text{AB}}|\left|N_{\text{A}}\right|\left|N_{\text{B}}\right|\left|C_{\text{B}}\right|\left|I{D}_{\text{B}}\right|\left|I{D}_{\text{A}}\right||R_{\text{B}})$$

(16)

Alice compares $MI{C}_{\text{B}}^{\prime }$ with $MI{C}_{\text{B}}$. If $MI{C}_{\text{B}}^{\prime }=MI{C}_{\text{B}}$, Alice passes the identity verification and regards Bob as a valid user.

Bob’s identity verification works as follows.

$$\begin{array}{cc}{K}_{\text{AB}}& =SHA((r_{\text{A}}+s_{\text{A}})\cdot (C_{\text{B}}+P_{\text{B}}))\hfill \\ & =SHA(r_{\text{A}}\cdot C_{\text{B}}+r_{\text{A}}\cdot P_{\text{B}}+s_{\text{A}}\cdot C_{\text{B}}+s_{\text{A}}\cdot P_{\text{B}})\hfill \\ & =SHA(r_{\text{A}}\cdot r_{\text{B}}\cdot G+r_{\text{A}}\cdot P_{\text{B}}+r_{\text{B}}\cdot P_{\text{A}}+s_{\text{A}}\cdot s_{\text{B}}\cdot G)\hfill \end{array}$$

$$\begin{array}{cc}{K}_{\text{BA}}& =SHA((r_{\text{B}}+s_{\text{B}})\cdot (C_{\text{A}}+P_{\text{A}}))\hfill \\ & =SHA(r_{\text{B}}\cdot C_{\text{A}}+r_{\text{B}}\cdot P_{\text{A}}+s_{\text{B}}\cdot C_{\text{A}}+s_{\text{B}}\cdot P_{\text{A}})\hfill \\ & =SHA(r_{\text{A}}\cdot r_{\text{B}}\cdot G+r_{\text{A}}\cdot P_{\text{B}}+r_{\text{B}}\cdot P_{\text{A}}+s_{\text{A}}\cdot s_{\text{B}}\cdot G)\hfill \end{array}$$

Hence, we have $K_{\mathrm{AB}}=K_{\text{BA}}$, and $SHA(K_{\text{AB}}|\left|N_{\text{A}}\right|\left|N_{\text{B}}\right|\left|C_{\text{B}}\right|\left|I{D}_{\text{B}}\right|\left|I{D}_{\text{A}}\right||R_{\text{B}})=SHA(K_{\text{BA}}|\left|N_{\text{A}}\right|\left|N_{\text{B}}\right|\left|C_{\text{B}}\right|\left|I{D}_{\text{B}}\right|\left|I{D}_{\text{A}}\right||R_{\text{B}})$ which implies the identity verification is valid.

(4) Alice computes $MI{C}_{\text{A}}=SHA(K_{\text{ AB}}||N_{\text{B}}||I{D}_{\text{A}}||I{D}_{\text{B}})$, and returns($N_{\text{B}},I{D}_{\text{A}},I{D}_{\text{B}}$, $MI{C}_{\text{A}}$) to Bob.

Receiving the message from Alice, Bob executes the following operations.

(1) According to $N_{\text{B}}$, Bob checks whether the message is fresh or not. If the message is fresh, Bob continues the user authentication process. Otherwise, Bob cancels the user authentication process.

(2) Bob computes $MI{C}_{\text{A}}^{\prime }=SHA(K_{\text{BA}}|\left|N_{\text{B}}\right|\left|I{D}_{\text{A}}\right||I{D}_{\text{B}})$, and compares it with $MI{C}_{\text{A}}=SHA(K_{\text{AB}}|\left|N_{\text{B}}\right|\left|I{D}_{\text{A}}\right||I{D}_{\text{B}})$ received from Alice. If $MI{C}_{\text{A}}^{\prime }=MI{C}_{\text{A}}$, Bob regards that Alice has verified his identity. At the same time, the session key agreement is successful, and the session key can be used for future communication.

Since $K_{\mathrm{AB}}=K_{\text{BA}}$, it is obvious that $MI{C}_{\text{A}}^{\prime }=MI{C}_{\text{A}}$.

The interaction diagram of the user authentication phase mentioned above is illustrated in Figure 3.

The overall process of the proposed user authentication scheme is illustrated in Figure 4.

4. Security Analysis

The security of the proposed user authentication scheme is based on the intractability of reversing ECDLP and one-way hash function problem (OWHFP).

Let E_p(a, b) be an elliptic curve over $\mathrm{GF}(p)$. P is a point with order n on the elliptic curve E_p(a, b). Q is another point on the same curve.

The ECDLP is to determine m satisfying $Q=m\cdot P$ with given P and Q, which is difficult.

Let h be a one-way hash function. Given $h(x)$, it is computationally infeasible to find x. Furthermore, for a given value x and $h(x)$, it is computationally infeasible to find a y such that $h(y)=h(x)$.

Figure 3. The user authentication phase.

Figure 3. The user authentication phase.

Figure 4. The proposed user authentication scheme.

Figure 4. The proposed user authentication scheme.

4.1. Security Analysis in User Registration Phase

Theorem 1.

The proposed user authentication scheme is secure against user masquerade attack, message-forgery attack, impersonate attack from CA in user registration phase.

Proof.

(1) User masquerade attack resistance

We assume that an adversary (Eve) intercepts the legal user’s registration information and attempts to masquerade the legal user (${\text{U}}_i$) to join in the network. However, Eve will be faced with some difficulties in following scenarios.

Although Eve intercepts $I{D}_i^{\prime }$, he cannot masquerade the valid user. Because ${\text{U}}_i$ ’s identity is hidden in $I{D}_i^{\prime }=I{D}_i\oplus SHA(r_i^{\prime }||P_{\text{CA}})$. If Eve wants to obtain $I{D}_i$ from $I{D}_i^{\prime }$, he must first obtain $SHA(r_i^{\prime }||P_{\text{CA}})$ which is protected under the OWHFP and ECDLP.

Although Eve intercepts message $(N_i,N_{\text{CA}},R_i,{\tilde{s}}_i)$ and wants to masquerade the valid user, he should derive $r_i^{\prime }$ from $R_i^{\prime }=r_i^{\prime }\cdot G$. It is not possible because solving the ECDLP is computationally infeasible. Meantime, he cannot return Message 3 ($SHA(N_{\text{CA}}||r_i^{\prime }\cdot P_{\text{CA}})$) to CA without the knowledge of $r_i^{\prime }$.

Although Eve gets $I{D}_i$, he attempts to re-register with CA on the purpose of masquerading a valid user. Even if this attack is successful, the attack can be easily detected. This is because CA is convinced that the user has verified the authenticity of his public key since receiving Message 3. And CA stores the user’s registration information in the registration file. As a registration request is accepted, CA will check the submitted user’s identity information of the user in the registration file to prevent the re-registration attempt.

Therefore, our proposed scheme can resist the user masquerade attack.

(2) Message-forgery attack resistance

We assume that Eve intercepts $(N_i,N_{\text{CA}},R_i,{\tilde{s}}_i)$ when CA returns it to ${\text{U}}_i$ and attempts to forge $(R_i,{\tilde{s}}_i)$.

${\text{U}}_i$ verifies the condition $s_i\cdot G=P_{\mathrm{CA}}\cdot [(SHA(I{D}_i,R_i.x))\mathrm{mod}n]+R_i$. The verification does not hold because Eve needs to have the private key of CA, P_CA. Hence, Eve should compute $s_{\text{CA}}$ from $P_{\text{CA}}=s_{\text{CA}}\cdot G$. It is not possible because solving the ECDLP is computationally infeasible. Therefore, our proposed scheme can resist the message-forgery attack.

(3) Resistance of the impersonate attack from CA

We assume that CA generates another pair of valid private/public key, ($s_i^{\prime },P_i^{\prime }$), satisfying (9), CA can impersonate ${\text{U}}_i$. However, this fraud can be detected by ${\text{U}}_i$ because two different valid keys exist. It can prove that CA is cheating. Therefore, our proposed scheme can resist the impersonate attack from CA.

4.2. Security Analysis in User Authentication Phase

Theorem 2.

The proposed user authentication scheme achieves mutual trust, and is secure against man-in-the-middle attack, replay attack, masquerading and tampering attacks in user authentication phase.

Proof.

(1) Mutual trust

The signature of the message sent by Alice is generated in Step 1, which is verified by Bob in Step 2. In this way, Bob authenticates Alice’s identity.

Moreover, a message integrity code of the message sent by Bob, $MI{C}_{\text{B}}=SHA(K_{\text{BA}}|\left|N_{\text{A}}\right|\left|N_{\text{B}}\right|\left|C_{\text{B}}\right|\left|I{D}_{\text{B}}\right|\left|I{D}_{\text{A}}\right||R_{\text{B}})$, is applied in Step 2. This provides the evidence of authentication and integrity for the message received by Alice. In the proposed scheme, $MI{C}_{\text{B}}$ contains $K_{\text{BA}}=SHA((r_2+s_{\text{B}})\cdot (C_{\text{A}}+P_{\text{A}}))$ generated by Bob’s private key. Hence, $MI{C}_{\text{B}}$ can be used to authenticate Bob’s identity.

Therefore, the proposed scheme provides the two-way authentication between Alice and Bob.

(2) Man-in-the-middle attack resistance

In the user registration phase, it prevents from the re-registration attempt so that adversaries can hardly masquerade other valid users to perform the man-in-the-middle attack.

In the user authentication phase, the proposed scheme exchanges $C_{\text{A}}=r_{\text{A}}\cdot G$ and $C_{\text{B}}=r_{\text{B}}\cdot G$ along with $signatur{e}_{\text{A}}$ and $MI{C}_{\text{B}}$, and generates the session keys, $K_{\text{AB}}=SHA((r_{\text{A}}+s_{\text{A}})\cdot (C_{\text{B}}+P_{\text{B}}))$ and $K_{\text{BA}}=SHA((r_{\text{B}}+s_{\text{B}})\cdot (C_{\text{A}}+P_{\text{A}}))$, using the private keys, $s_{\text{A}}$ and $s_{\text{B}}$, and two random values, $r_{\text{A}}$ and $r_{\text{B}}$. Man-in-the-middle attack is only possible if an adversary (Eve) can forge $signatur{e}_{\text{A}}$ and $MI{C}_{\text{B}}$. Hence, Eve must compute $s_{\text{A}}$ and $s_{\text{B}}$ from the pair ($P_{\text{A}}$, $P_{\text{B}}$) = ($s_{\text{A}}\cdot G$, $s_{\text{B}}\cdot G$). It is not possible because solving the ECDLP is computationally infeasible.

Therefore, the proposed scheme can resist man-in-the-middle attack.

(3) Replay attack resistance

Two types of replay attacks are considered. Type-I replay attack is defined as an adversary intercepts an authentication message and attempts to masquerade as a sender by replaying it without modifying any content of the authentication message. Type-II replay attack is defined as an adversary intercepts an authentication message and replays a forged authentication message modified from the original one.

Since the proposed scheme uses the nonce to ensure the fresh of message, the type-I replay attack will be excluded by checking the nonce. If Eve intercepts the message $(N_{\text{A}},C_{\text{A}},I{D}_{\text{A}},I{D}_{\text{B}},R_{\text{A}},signatur{e}_{\text{A}})$ and replays it to impersonate Alice, Bob checks whether the message is fresh or not according to N_A. If the nonce has been received, Bob discards the message.

In order to pass the authentication of Alice, Eve must change the nonce. It is assumed that Eve only changes the nonce from N_A to $N_A^{\prime }$ in $(N_{\text{A}},C_{\text{A}},I{D}_{\text{A}},I{D}_{\text{B}},R_{\text{A}},signatur{e}_{\text{A}})$ to forge the authentication message. Bob verifies $signatur{e}_{\text{A}}\cdot G\stackrel{?}{=}{C}_{\text{A}}+P_{\text{A}}\cdot [(SHA(N_A^{\prime }|\left|C_{\text{A}}\right|\left|I{D}_{\text{A}}\right|\left|I{D}_{\text{B}}\right||R_{\text{A}}))\mathrm{mod}n]$. The message verification does not hold since Eve needs to have the private key of Alice, P_A, to generate a new signature. It is not possible because solving the ECDLP is intractable. In the same way, an adversary impersonating Bob cannot pass the authentication. Hence, the nonce cannot be forged in the proposed scheme, which means that the proposed scheme is also resistant to the type-II replay attack.

Therefore, the proposed scheme can resist the replay attack.

(4) Masquerading and tampering attacks resistance

It is assumed that an adversary (Eve) intercepts an authentication message and replays it to masquerade as a valid user.

Eve intercepts an authentication message sent by Alice and attempts to masquerade as Alice by launching the type-I replay attack. After Bob receives the authentication message, he will check whether the message is fresh or not according to N_A. If the nonce has been received, Bob discards the message. On the other hand, Eve intercepts an authentication message and launches the type-II replay attack. It is difficult to succeed since Eve needs to use P_A to generate a new signature. Computing $s_{\text{A}}$ from $P_{\text{A}}\text{=}{s}_{\text{A}}\cdot G$ is not possible because solving the ECDLP is computationally infeasible.

It is assumed that an adversary (Eve) intercepts the message $(N_{\text{A}},C_{\text{A}},I{D}_{\text{A}},I{D}_{\text{B}},R_{\text{A}},signatur{e}_{\text{A}})$ and attempts to tamper the message. This action will not pass the user authentication of Alice. As explained in the replay attack resistance, Eve needs to use P_A to generate a new signature. Hence, Eve encounters the intractability of solving the ECDLP. In addition, the one-way hash function is adopted in the user authentication phase to guarantee the integrity of message, which contains the session key generated by Alice and Bob’s private keys. Computing ($s_{\text{A}}$, $s_{\text{B}}$) from ($P_{\text{A}}$, $P_{\text{B}}$) is not possible because solving the ECDLP is computationally infeasible.

Therefore, the proposed scheme can resist the masquerading and tampering attacks.

Theorem 3.

Based on the difficulty in solving the ECDLP, the proposed user authentication scheme provides perfect forward secrecy, backward secrecy, key compromise impersonation attack resistance, known-key security, unknown key-share resistance, and known session-specific temporary information attack resistance.

Proof.

(1) Perfect forward secrecy and backward secrecy

It is assumed that the private keys, $s_{\text{A}}$ and $s_{\text{B}}$, are compromised, and an adversary (Eve) attempts to compute the key $K_{\text{AB}}=SHA(r_{\text{A}}\cdot r_{\text{B}}\cdot G+s_{\text{B}}\cdot C_{\text{A}}+s_{\text{A}}\cdot C_{\text{B}}+s_{\text{A}}\cdot s_{\text{B}}\cdot G)$. Here, the forward secrecy is achieved by means of the term $r_{\text{A}}\cdot r_{\text{B}}\cdot G$. However, in order to compute the session key, Eve needs the knowledge of the random values, $r_{\text{A}}$ and $r_{\text{B}}$. Solving $C_{\text{A}}$ and $C_{\text{B}}$ to get $r_{\text{A}}$ and $r_{\text{B}}$ is equivalent to the problem of solving ECDLP.

In addition, the session key relies on the random values, $r_{\text{A}}$ and $r_{\text{B}}$, which are generated in each session independently and changed for each authentication phase.

Furthermore, another important aspect of our proposed scheme is that the session key is protected by the secure hash function. Although an adversary obtains a certain period session key, he/she cannot use the current session key to get forward and backward session keys. Hence, the session key in the proposed scheme achieves perfect forward secrecy and backward secrecy.

(2) Key compromise impersonation attack resistance

As defined in [15], the key compromise impersonation attack resistance is that an adversary (Eve) can masquerade as Alice if Alice’s private key is compromised, while Eve cannot masquerade as another user to interact with Alice.

It is assumed that the long-term private key of Alice, $s_{\text{A}}$, is compromised and known to Eve. Obviously, Eve can impersonate Alice using $s_{\text{A}}$. However, to impersonate any other user (Bob) to interact with Alice, Eve would need the session key, $K_{\text{BA}}=SHA(r_{\text{B}}\cdot C_{\text{A}}+r_{\text{A}}\cdot P_{\text{B}}+r_{\text{B}}\cdot P_{\text{A}}+s_{\text{A}}\cdot P_{\text{B}})$. Thus, Eve needs to have the private key of Bob, $s_{\text{B}}$, or the random value generated by Alice, $r_{\text{A}}$. Solving P_B and C_A to get $s_{\text{B}}$ and $r_{\text{A}}$ is equivalent to the problem of solving ECDLP. In addition, in most circumstances, the private key of a user is updated periodically.

Hence, the key compromise impersonation vulnerability can be limited to some considerably low extent.

(3) Known-key security

The proposed scheme achieves the known-key security if the knowledge of previous generated session keys does not allow an adversary to compromise the past or future session keys.

It is assumed that a session key generated by the proposed scheme is obtained by an adversary (Eve). Eve cannot derive all past and future session keys from the knowledge of the compromised session key. To derive a session key, Eve has to compute ($r_{\text{A}}$, $r_{\text{B}}$) and ($s_{\text{A}}$, $s_{\text{B}}$) from ($C_{\text{A}}$, $C_{\text{B}}$) and ($P_{\text{A}}$, $P_{\text{B}}$), respectively. It is not possible because solving the ECDLP is computationally infeasible.

(4) Unknown key-share resistance

A key agreement protocol achieves unknown key-share attack resistance if a user cannot be forced to share a session key with a different user rather than the one intended without their knowledge. That is, Alice cannot be forced to share a key with Eve when Alice believes that the key is shared with Bob.

In the user authentication phase of the proposed scheme, Bob sends a message to Alice, $N_{\text{A}}\left|\right|N_{\text{B}}\left|\right|C_{\text{B}}\left|\right|I{D}_{\text{B}}\left|\right|I{D}_{\text{A}}\left|\right|R_{\text{B}}\left|\right|MI{C}_{\text{B}}$. And MIC_B contains $K_{\text{BA}}=SHA((r_{\text{B}}+s_{\text{B}})\cdot (C_{\text{A}}+P_{\text{A}}))$ generated by Bob’s private key, $s_{\text{B}}$. Similarly, Alice responds to Bob with the message, $N_{\text{B}}\left|\right|I{D}_{\text{A}}\left|\right|I{D}_{\text{B}}\left|\right|MI{C}_{\text{A}}$. And MIC_A contains $K_{\text{AB}}=SHA((r_{\text{A}}+s_{\text{A}})\cdot (C_{\text{B}}+P_{\text{B}}))$ generated by Alice’s private key $s_{\text{A}}$. The verification of MIC_B and MIC_A at Alice and Bob confirms the generation of same session key.

Therefore, the proposed scheme resists the unknown key-share attack.

(5) Known session-specific temporary information attack resistance

The security of the generated session key should not be compromised even if two random values are compromised by an adversary (Eve).

In the proposed scheme, Eve cannot derive the session key $K_{\text{AB}}=SHA((r_{\text{A}}+s_{\text{A}})\cdot (C_{\text{B}}+P_{\text{B}}))$ and $K_{\text{BA}}=SHA((r_{\text{B}}+s_{\text{B}})\cdot (C_{\text{A}}+P_{\text{A}}))$ even if $r_{\text{A}}$ and $r_{\text{B}}$ are compromised. This is because Eve does not know Alice’s private key and Bob’s private key, $s_{\text{A}}$ and $s_{\text{B}}$. Moreover, Eve cannot derive from ($P_{\text{A}}$, $P_{\text{B}}$)=($s_{\text{A}}\cdot G$, $s_{\text{A}}\cdot G$) because solving the ECDLP is computationally infeasible.

Therefore, the proposed scheme resists the known session-specific temporary information attack.

5. Performance Analysis

In this section, we analysis the performance of the proposed user authentication scheme, in terms of security, storage overhead, communication overhead and computation overhead.

(1) Attack resistance and functionality

The attack resistance and functionality of the proposed user authentication scheme are compared with other three schemes, namely Diffie-Hellman key agreement scheme in [4] (abbreviated as DHKA scheme), the user authentication phase of secure MAC protocol for cognitive radio networks in [5] (abbreviated as SecureMAC protocol), and authentication and key agreement scheme in [11] (abbreviated as AKA scheme).

The comparison results are listed in Table 2. From Table 2, we observe that our proposed user authentication scheme provides two-way user authentication and session key agreement. However, SecureMAC protocol in [5] does not achieve the session key agreement.

Table 2. The functionality comparison.

Functionality	DHKA Scheme in [4]	SecureMAC Protocol in [5]	AKA Scheme in [11]	Proposed Scheme
Mutual trust	Yes	Yes	Yes	Yes
Session key agreement	Yes	No	Yes	Yes
Time synchronization	Not need	Not need	Need	Not need
Replay attack resistance	No	Yes	Yes	Yes
Man-in-the middle attack resistance	Yes	Yes	Yes	Yes
Forward secrecy	No	No	Yes	Yes
Backward secrecy	No	No	Yes	Yes
Key compromise impersonation attack resistance	No	No	No	Yes

Table 2. The functionality comparison.

Functionality	DHKA Scheme in [4]	SecureMAC Protocol in [5]	AKA Scheme in [11]	Proposed Scheme
Mutual trust	Yes	Yes	Yes	Yes
Session key agreement	Yes	No	Yes	Yes
Time synchronization	Not need	Not need	Need	Not need
Replay attack resistance	No	Yes	Yes	Yes
Man-in-the middle attack resistance	Yes	Yes	Yes	Yes
Forward secrecy	No	No	Yes	Yes
Backward secrecy	No	No	Yes	Yes
Key compromise impersonation attack resistance	No	No	No	Yes

Moreover, the session key of our proposed scheme achieves perfect forward secrecy and backward secrecy, and key compromise impersonation attack resistance compared with DHKA scheme in [4] and AKA scheme in [11].

In addition, our proposed scheme also defends against the replay attack with modified challenge-response mechanism, but DHKA scheme in [4] is vulnerable to the replay attack. AKA scheme in [11] defends against the replay attack using timestamp mechanism.

(2) Storage overhead

Each user needs store parameters (p, a, b, G, n, P_CA, R_i, ID_i) and the private/public key pair (s_i, P_i). In our proposed scheme, we assume that the key length of ECC is 160 bits, and the length of ID value is 160 bits. The storage overhead of each user is listed in Table 3.

Table 3. Storage overhead of each user.

Parameters	Storage Overhead (bits)
The parameters of ECC, (p, a, b, G, n)	960/(160 + 160 + 160 + 320 + 160)
CA’s public key, PCA	320
Point Ri	320
User identity, IDi	160
User’s private key, si	160
User’s public key, Pi	320
Total	2240

Table 3. Storage overhead of each user.

Parameters	Storage Overhead (bits)
The parameters of ECC, (p, a, b, G, n)	960/(160 + 160 + 160 + 320 + 160)
CA’s public key, PCA	320
Point Ri	320
User identity, IDi	160
User’s private key, si	160
User’s public key, Pi	320
Total	2240

The total storage overhead is only 2,240 bits, which is quite suitable for resource-constrained wireless network.

For security, the private key of U_i, s_i, needs to be stored in the form of ciphertext, and the public key of U_i, P_i, and other parameters, (p, a, b, G, n, P_CA, R_i, ID_i) are stored in the form of plaintext. Since other users can use n, P_CA, R_i and ID_i to construct the public key of U_i, P_i, users does not need to store the public keys of other users with whom he/she is communicating. In addition, since the generated session key between two users is temporary, it does not need to be stored.

(3) Communication overhead

Let the length of nonce be 64 bits, and the hash value of the one way hash function is 256 bits. The communication overhead in the user authentication phase of our proposed scheme is listed in Table 4.

Table 4. Communication overhead of each user.

Message	Communication Overhead (bits)
Step 1	1184
Step 2	1344
Step 3	640
Total	3168

Table 4. Communication overhead of each user.

Message	Communication Overhead (bits)
Step 1	1184
Step 2	1344
Step 3	640
Total	3168

From Table 4, it is obvious that the communication overhead in the user authentication phase of our proposed scheme is relatively light.

(4) Computation overhead

The computational complexity is analyzed in detail and compared with some other user authentication schemes, namely DHKA scheme in [4], AKA scheme in [11], time stamp mechanism and key management scheme in [16] (abbreviated as TSMKM scheme), authentication scheme based on bilinear pairings) in [17] (abbreviated as BP-A scheme), ECC-based authentication key agreement scheme in [18] (abbreviated as ECC-AKA scheme), and ECC-based improved authentication key agreement scheme in [19] (abbreviated as ECC-IAKA scheme).

The notations of various operations and the denotations used in this subsection are listed in Table 5.

Table 5. Definition of various operations.

Notations	Denotations
$T_{\text{EM}}$	The time for computing a point multiplication on $\text{GF}(p)$
$T_{\text{EA}}$	The time for computing a point addition on $\text{GF}(p)$
$T_{\text{BP}}$	The time for computing a bilinear pairing
$T_{\text{MI}}$	The time for computing modular inversion
$T_{\text{MM}}$	The time for computing modular multiplication
$T_{\text{MA}}$	The time for computing modular addition
$T_{\text{ME}}$	The time for computing modular exponentiation
$T_{\text{H}}$	The time for computing the one-way hash function
$T_{\text{RSA-Ver}}$	The time for computing RSA signature verification operation
$T_{\text{X}}$	The time for computing symmetric encryption/decryption operation

Table 5. Definition of various operations.

Notations	Denotations
$T_{\text{EM}}$	The time for computing a point multiplication on $\text{GF}(p)$
$T_{\text{EA}}$	The time for computing a point addition on $\text{GF}(p)$
$T_{\text{BP}}$	The time for computing a bilinear pairing
$T_{\text{MI}}$	The time for computing modular inversion
$T_{\text{MM}}$	The time for computing modular multiplication
$T_{\text{MA}}$	The time for computing modular addition
$T_{\text{ME}}$	The time for computing modular exponentiation
$T_{\text{H}}$	The time for computing the one-way hash function
$T_{\text{RSA-Ver}}$	The time for computing RSA signature verification operation
$T_{\text{X}}$	The time for computing symmetric encryption/decryption operation

According to [19,20,21,22,23], $T_{\text{BP}}\approx 3T_{\text{EM}}$, $T_{\text{EM}}\approx 29T_{\text{MM}}$, $T_{\text{EA}}\approx 0.12T_{\text{MM}}$, $T_{\text{ME}}\approx 240T_{\text{MM}}$, and $T_{\text{MI}}\approx 3T_{\text{MM}}$. Compared to the computational time for performing other operations, the time for performing the modular addition and one-way hash function can be negligible. The comparison of computation overhead is listed in Table 6.

As shown in Table 6, our proposed user authentication scheme does not involve modular exponentiation and bilinear pairing operations, while DHKA scheme in [4] and the BP-A scheme in [17] require two modular exponentiation operations and three bilinear pairing operations, respectively. Meanwhile, our proposed scheme reduces the amount of point multiplication operations compared with the AKA scheme in [11], the TSMKM scheme in [16] and the ECC-IAKA scheme in [19]. The ECC-AKA scheme in [18] utilizes both RSA and ECC to achieve mutual authentication, which increases the computation burden on user’s side. Hence, the computation overhead of our proposed scheme is obviously less than that of other compared schemes.

Table 6. Computation overhead of each user.

Schemes	Computation Overhead	Equivalent Computation Overhead
DHKA scheme in [4]	$2T_{\text{ME}}$	$480T_{\text{MM}}$
AKA scheme in [11]	$15T_{\text{EM}}+4T_{\text{MM}}+4T_{\text{MA}}+6T_{\text{EA}}+T_{\text{MI}}+6T_{\text{H}}$	$442.72T_{\text{MM}}$
TSMKM scheme in [16]	$15T_{\text{EM}}+5T_{\text{EA}}+2T_{\text{MI}}+4T_{\text{MM}}+T_{\text{MA}}+8T_{\text{H}}$	$445.6T_{\text{MM}}$
BP-A scheme in [17]	$2T_{\text{EM}}+3T_{\mathrm{BP}}+8T_{\text{H}}$	$319T_{\text{MM}}$
ECC-AKA scheme in [18]	$10T_{\text{EM}}+4T_{\text{EA}}+8T_{\text{MA}}+8T_{\text{MM}}+4T_{\text{MI}}+10T_{\text{H}}+2T_{\text{RSA-Ver}}$	$310.48T_{\text{MM}}+2T_{\text{RSA-Ver}}$
ECC-IAKA scheme in [19]	$17T_{\text{EM}}+5T_{\text{EA}}+3T_{\text{H}}+T_{\text{X}}$	$493.6T_{\text{MM}}+T_{\text{X}}$
Our proposed scheme	$8T_{\text{EM}}+5T_{\text{EA}}+3T_{\text{MA}}+T_{\text{MM}}+10T_{\text{H}}$	$233.6T_{\text{MM}}$

Table 6. Computation overhead of each user.

Schemes	Computation Overhead	Equivalent Computation Overhead
DHKA scheme in [4]	$2T_{\text{ME}}$	$480T_{\text{MM}}$
AKA scheme in [11]	$15T_{\text{EM}}+4T_{\text{MM}}+4T_{\text{MA}}+6T_{\text{EA}}+T_{\text{MI}}+6T_{\text{H}}$	$442.72T_{\text{MM}}$
TSMKM scheme in [16]	$15T_{\text{EM}}+5T_{\text{EA}}+2T_{\text{MI}}+4T_{\text{MM}}+T_{\text{MA}}+8T_{\text{H}}$	$445.6T_{\text{MM}}$
BP-A scheme in [17]	$2T_{\text{EM}}+3T_{\mathrm{BP}}+8T_{\text{H}}$	$319T_{\text{MM}}$
ECC-AKA scheme in [18]	$10T_{\text{EM}}+4T_{\text{EA}}+8T_{\text{MA}}+8T_{\text{MM}}+4T_{\text{MI}}+10T_{\text{H}}+2T_{\text{RSA-Ver}}$	$310.48T_{\text{MM}}+2T_{\text{RSA-Ver}}$
ECC-IAKA scheme in [19]	$17T_{\text{EM}}+5T_{\text{EA}}+3T_{\text{H}}+T_{\text{X}}$	$493.6T_{\text{MM}}+T_{\text{X}}$
Our proposed scheme	$8T_{\text{EM}}+5T_{\text{EA}}+3T_{\text{MA}}+T_{\text{MM}}+10T_{\text{H}}$	$233.6T_{\text{MM}}$

Moreover, as the performance analysis in [24], some parameters can be pre-computed to reduce the computational complexity. In our proposed scheme, C_A and C_B can be computed in advance. In this way, the computational complexity can be reduced in some extent.

In addition, if some applications require lower computational complexity, a higher clock frequency for hardware implementations or binary-field based elliptic curves [25] can be selected for our proposed scheme.

6. Conclusions

The WANET will play an important role in the next generation wireless networking. In addition, security issue is critical to deploy and manage WANETs. Furthermore, the user authentication is the first safety barrier in a network.

We proposed a user authentication scheme based on SCPK and ECC for the WANET, in which an efficient two-way user authentication and a secure session key agreement are achieved. Based on the security and performance analysis, our proposed scheme resists various common known attacks, such as man-in-the-middle attack, replay attack, masquerading and tampering attacks, as well as achieves lower storage, communication, and computation overheads. Therefore, the proposed user authentication scheme based on SCPK and ECC is efficient and suitable for the resource-constrained WANET.