Analysis and Improvement of a Lightweight Anonymous Authentication Protocol for Mobile Pay-TV Systems (Full text)

Transcription

1 Analyss and Improvement of a Lghtweght Anonymous Authentcaton Protocol for Moble Pay-TV Systems (Full text) arxv: v3 [cs.cr] 13 Sep st Saeed Banaean Far Department of Electrcal and Computer Engneerng, Scence and Research Branch Islamc Azad Unversty Tehran, Iran Saeed.banaean@srbau.ac.r Abstract For many years, the pay-tv system has attracted a lot of users. Users have recently expressed the desre to use moble TV or moble payment va anonymous protocols. The moble users have also receved ther servces over cellular communcatons networks. Each moble devce receves servces from each head end systems. Wth ncreasng numbers of users and the expanson of Internet, user s prvacy has become crucal mportant. When a devce leaves the head end system s range, t must receve servces from another head end system. In ths paper, we revew Chen et al s scheme and we hghlght some weaknesses, ncludng prvlege nsder attack and user traceablty attack. Fnally, we allevate the scheme and analyze the allevated scheme usng both heurstc and formal methods. Keyword: Authentcaton protocol, Formal model, Prvacy preservng, User anonymty, User traceablty I. INTRODUCTION After World War II, wreless communcatons were launched, and moble servces gradually became avalable. At that tme, there was only one moble operator that provded servce to a few users. Then, the second generaton of moble communcatons was ntroduced as cellular networks under the GSM standard [1]. Moble communcatons rapdly progressed. To date, communcatons have changed sgnfcantly four tmes. These changes and technologcal mutatons were ntroduced as dfferent generatons of wreless communcatons technology so that today, the fourth generaton of ths method of communcaton s utlzed. It s predcted that a new generaton of moble communcatons wll be ntroduced n 2020 that wll provde users wth great speed and accuracy[1], [2], [3]. Pay-TV system has attracted many users for almost 30 years. In 1994, the number of people who used ths technology reached 3.45 mllon n England. It doubled after 4 years [4]. Currently, numerous users use moble devces to watch TV, and many communcaton systems have been provded for usng the moble-tv servces [4], [5], [6], [7]. In these systems, the user can receve servces after regstraton n a head end system (HES) network and store hs/her nformaton The summary of ths artcle has been submtted at Correspondng author: Saeed Banaeanfar saeed banaean far@yahoo.com 2 nd Mahd R.Alagheband Department of Electrcal and Computer Engneerng, Scence and Research Branch Islamc Azad Unversty Tehran, Iran m.alaghband@srbau.ac.r n the database server (DBS) of the HES. At frst, the HES only broadcasts one authentcaton message to all the users who request the same servce [5]. Addtonally, n [7], a user can access a televson channel and play any vdeo on hs/her moble phone. Snce smart card-based networks and moble phone users are shftng to an ad hoc and comletely moble mode, HES cannot provde servce to users everywhere. Therefore, when moble users leave an area covered by a HES, they should receve servces from another HES [8], [28], [9], [10]. Frst of all, they have to be authentcated agan. In [8] the Mob- Cash protocol based on ellptc curve cryptography (ECC) was proposed, and [28] used symmetrc encrypton functons. Constantn Popescu and Lo-yao Yeh s schemes are also based on blnear parng [9], [10]. Recently, user prvacy has acqured specal sgnfcance so that the demand for anonymous communcaton n networks has ncreased, and servce provders have to authentcate users remotely and anonymously [11], [12], [13]. Bapana descrbes an anonymous authentcaton protocol sutable for dstrbuted computer networks [14]. Yang et al. proposed a two-party secure roamng protocol based on dentty based sgnatures (IBS) [12]. There are multple servers, and each server manages a set of subscrbers who are users of the network. Dedong et al. presented a model of two access modes: self-access and cross-doman access [13]. In self-access, the nternet servce provders (ISP ) provde servce to users drectly, and cross-doman access s smlar to that of a roamng network. Anonymous authentcaton schemes could meet these requrements. The valdty and legalty of a user s dentty s approved n anonymous authentcaton schemes whle dvulgng ther true dentty to no one. In some schemes, not only s the user s dentty anonymous on publc networks and channels, but users nsde the network and attackers also cannot retreve the user s ID [14], [16]. Even the server occasonally does not realze the user s ID [18]. In some schemes, there s no regstraton table for user authentcaton on the server [18], but the server can valdate and authentcate the users anonymously.

2 Our man contrbutons are lsted follows: We present a great user anonymty. It means that we assume that an adversary has the server secret key and user password, but t cannot obtan the user s dentty. We mprove the Chen s scheme [16] aganst prvlege nsder attack attack. It means that the severs have no ablty to obtan the users senstve nformaton. We mprove the Chen s scheme [16] aganst user traceablty attack. We analyze the allevated scheme usng both heurstc and formal methods. In ths paper, after dscussng related work n secton 2 and prerequstes for the scheme n secton 3, we descrbe and analyze Chen et. al s scheme[16] n secton 4. It should be noted that Km et al have also promoted ths scheme aganst stolen smart card-based attacks [19], but t s almost nfeasble as long as the user chooses just strong password because t requres succeed brute force attack. In the followng, we explan our allevated scheme. Then, we analyze the allevated scheme n heurstc and formal forms. Fnally, we compare our scheme wth recently proposed schemes. II. RELATED WORK In ths secton, we categorze pay-tv systems n 4 groups. At frst, we descrbe sgnature-based pay-tv systems. Blnd sgnature s practcal way to verfy user authentcaton by vald party, anonymously. Other categores are based on blnear parng, dgtal sgnature, encrypton/decrypton functon, and hash functon. Snce hash functon are lght and secure, t s appled for lghtweght schemes whch are sutable for weak devces such as sensors and smart phones. We depct ths secton on the table I, n summery. Parng-based pay-tv systems Other researchers proposed heavy scheme based on blnear parng, such as Wang et al proposed an authentcaton scheme for access control n moble pay-tv systems, n 2012 [17]. Ther protocol was resst aganst forgery, Man-n-the-Mddle M tm, and replay attacks. Thus, an adversary can pass the verfcaton phase successfully. Its performance s good, but as we sad, t s based on blnear parng and that s not sutable for lghtweght devces. In 2013, Lu used dentty-based encrypton n hs scheme [5]. A number of schemes also used cryptographc functons and blnear parngs (e.g., [6], [28], [9], [10]). Sabznejad Farash made mprovments [10] aganst mpersonaton attacks (User mpersonaton and HES mpersonaton) n [6]. Sabznejad Farash s scheme [6] s also a robust and secure system whch s the runnng tme of protocol shorter than the prevous schemes. However, hs proposed scheme s desgned wth blnear parng. It s too heavy and unsutable for the weak devces. In 2015, Heydar et al proposed an authentcaton scheme ressts aganst mpersonaton attack. They launched ther attack on ssue phase and generalzed t on other phases [27]. Recently, Wu et al. proposed an authentcaton schemes for moble pay-tv, but t does not support anonymty [28]. Anonymty s beng supported through parng transform n [29]. Also, n 2017, Wu et al. proved that the Sabznejad protocol has some weaknesses [30]. For example, t does not support mutual authentcaton. But there s no modfed scheme. Then, Besmans et al proposed pay-per-vew and a pay-per-channel that protect users prvacy [40]. Sgnature-based pay-tv systems A user s connecton wth banks s another payment method that can be mentoned. Blnd sgnature s another method for anonymzaton. In ths method, a legtmate party sgns the blnded message of users. After sgnng, other people can see the orgnal message along wth the vald sgnatures of the legal party. In 1996, Camensch presented a communcaton scheme n an anonymous way n whch a blnd sgnature was used [20]. Subsequently, authors have tred to provde more effcent schemes for moble-pay systems. Customers n ths scheme have to open an anonymous account and there s no need for the bank to dentfy the customers. In 2009 Bakhtar et al presented the M obcash scheme based on the blnd sgnature and the customer s relatonshp wth the bank [8]. Its blnd sgnature s based on ECDSA crypto system. In 2016, Wu et.al proposed an effcent scheme [28]. Ther scheme s a powerful scheme based on user sgnature. The user who wants to uses TV, must regster as legal user va proposed scheme and creates sesson key to watch the TV. The user sgns ts message and sends t to server. Server verfes the receved message wth open.algorthm whch s proposed n ths scheme. Encrypton-based pay-tv systems Encrypton-based schemes are most practcal classfcaton. Ths category nether heavy nor lght. Thus, are not sutable for weak devces. For example, Yang J-H and Chang proposed ID-based scheme on ECC crypto system for remote user authentcaton [15]. It has some drawbacks such as vulnerablty to nsder and mpersonaton attacks [16]. In the hash-based pay-tv system (the next category), we descrbe Chen s scheme [16] and then analyse t n the secton 4. In 2017 Arshad et al proposed an effcent scheme [39] based on Wang s scheme [17]. But, there s no blnear parng functons and Arshad s scheme s easy to mplement on F P GA boards. Hash-based pay-tv systems In 2011, Chen modfed the ECC-based scheme of Yang J-H and Chang [15]. The modfed protocol s lghtened and redesgned only wth hash functon but wthout ECC usng [16]. Then n 2012, Km et al mproved Chen s scheme [16] and made t robust aganst smart cardbased attacks [19]. We wll explan n secton 4 that the mprovement s not true. In recent years, low energy consumpton on smart cards has been motvated by an ncrease n the energy effcency and productvty of schemes so that some of the desgned

3 TABLE I AN OVERVIEW ON THE SECTION 2 Informaton Base Artcle or Cryptographc functons Contrbuton Schemes Year mprovement of. BP E/D/Sg H (n summery) Camencsh [20] 1996 Brckell 1995 [22] No Yes Yes Proposed an anonymous electronc Stadler 1995 [23] payment system Bakhtar [8] 2009 Abbadasar 2004 [42] No Yes Yes Proposed a MobCash system Chen [16] 2011 Yang 2009 [15] No No Yes Improved Yang s scheme [15] aganst nsder and mpersonaton attack Km [19] 2012 Chen 2011 [16] No No Yes Improved Chen s scheme [16] aganst smart card-based attacks. We explan n the secton 4 that the mprovement s not true Wang [17] 2012 Sun 2009 [41] Yes Yes Yes Improved Sun s scheme [41] aganst MtM and mpersonaton attacks Lu [5] 2013 Sun 2009 [41] Yes Yes Yes Prvacy preservng Reduce the computaton overhead Tsa [24] 2014 L 2012 [21] No No Yes Proposed a protocol based on chaotc map Sabznejad 2014 Yeh 2012 [10] Yes Yes Yes Improved Yeh s scheme [10] aganst head- Farash [6] end system mpersonaton attack Reduced the computaton overhead Heydar [27] 2015 Wang 2012 [17] Yes Yes Yes Improved Wang s scheme [17] aganst mpersonaton attack Reduced the computaton overhead Kou [26] 2015 Cho 2014 [38] No No Yes Improved Cho s scheme [38] aganst stolen smart card and mpersonaton attacks Wu [28] 2016 He 2016 [29] Yes Yes Yes Added anonymty to He s scheme [29] Wu [30] 2017 Sabznejad Added mutual authentcaton to Farash 2014 [6] Sabznejad Farash [6] Arshad [39] 2017 Wang 2012 [17] No Yes Yes Made Wang s scheme [17] effcent, and mplements t on F P GA boards Besmans [40] 2018 Attrapadung 2009 [43] Yes Yes Yes Prvacy preservng Note: BP : Blnear Parng E/D/Sg: Encrypton/Decrypton/Dgtal Sgnature H: Hash functon schemes for smart cards are hash-based and have hgh energy consumpton effcency (e.g., [21], [24], [26]). In 2014, Tsa proposed a lght anonymous authentcaton protocol [24]. Then, n 2015, Kuo et al. also presented a lghtweght scheme based on smart cards [26]. The lghtweght schemes are popular, snce lght devces have been developed. So, we focus on ths category of pay-tv systems. In the secton 5, we dscuss the [6], [10], [16], [19] and our scheme, n the compare them wth our mproved scheme. We llustrate that our allevated scheme s more secure than noted schemes. III. PRELIMINARIES In ths secton, we explan prelmnares of our paper. These functons are used for lghtweght protocols wth low power consumpton, so common encrypton functons are not used. After presentng the requred securty features n anonymous authentcaton schemes, we brefly explan cellular communcaton. Fnally, we explan the analyss of schemes through a formal method. A. Parameters and Enttes Descrpton a) Descrbe the enttes nvolved n ths paper: In Table II, the lst of enttes and parameters are depcted. Below, we explan the role of each of the enttes [16]. HES: A system sendng broadcast TV servce to recevers. Recever: A moble devce wth a CAS module used for access control. SAS/SMS: Subsystems responsble for subscrber authorzaton and management. Encrypter/Decrypter: Components for encryptng and decryptng CW, keys and senstve nformaton. Multplexer/Demultpexer: Components for multplexng and demultplexng A/V, data or IP to MPEG-2. Scrambler/Desclamber: Components for sgnal scramblng and the reverse engneerng of Scrambler. TX/RX: Subsystems for sgnal transmsson and recevng. ECM/EMM: Defned by DV B as two condtonal access messages.

4 TABLE II LIST OF NOTATIONS Enttes Descrpton Parameters Descrpton HES Head End System S Server SAS Subscrber Authorzaton System U The th user SMS Subscrber Management System ID ID of th user CW Control Word P W Password of th user CAS Condtonal Access System b Random number ECM Enttlement Control Message N User regstraton number EMM Enttlement Management Message T Tme stamp DBS Data Base Server T T T j MUX Multplexer Θ Token for ssue phase DEMUX Demultplexer γ Token for subscrpton phase T X Transmtter γ Token for hand-off phase RX Recevng module h(.) Secure one-way hash functon MS Moble devce XOR operaton DV B Dgtal Vdeo Broadcast Concatenate operaton A The Adversary y The secret key of the remote server The stared parameters are generated by adversary B. Securty Requrements In ths secton, we menton the defntons of securty requrements and the need for anonymous authentcaton protocols wth mult-server servce provders. Noted that the hash functon have to be secure n standard model aganst relevant attacks. One-way hash functons wth no collsons are functons wth varant nput and constant length output. From ther characterstcs, we can note that they do not have collsons and that they are one-way [32]. Prvacy Preservng Prvacy s a range of personal and prvate nformaton of the user that the user wants to be protected and unavalable to As [33]. In ths paper, user dentty requres protecton. Because users want to log n anonymously and keeps hs/her dentty prvate. User Anonymty User anonymty s a knd of prvacy polcy n networks. User anonymty means that user s denttes cannot be obtaned and fnd a lnk to trace the users by any channel eavesdroppng, stolen smart card, or access to the user database stored n server memory [31]. Accordng to ncreasng user requests to jon the networks and uses nternet-based servces, user s prvacy has become partcularly mportant and dentty anonymty s more consdered. User Traceablty Traceablty means that f a user logs n to a server several tmes, or to multple servers n several dfferent ponts, A or other users cannot determne wheter s the same user that was prevously logged n to the server or not [35]. Resstance aganst prvlege nsder attack There are many HESes n the cellular network and users can get servces from them. They authentcate users and then the users can use the servces. To authentcate users, the HESes obtan the real users dentty and then verfy ther log n request. It s clearly that n ths attack all HESes know the real users dentty and f one of the HESes s malcous, the users prvacy s broken [36]. But, we want to the HESes learn no prvacy nformaton about the users dentty. Forward and Backward Securty Forward securty means that when the user s out of the network (or network servce s revoked) and he s not a member of the network he must not retreve encrypted messages after leavng or revocaton. In fact, t means that the set of keys n the next sessons must be ndependent of the set of keys n the prevous ones. Backward securty means that f a user recently was a member of that network wth a new key to server, ths user would no longer retreve prevous sesson keys. Ths user cannot retreve the prevous encrypted nformaton by havng ether the exchanged nformaton n the past or the current key [34]. Mutual Authentcaton For secure communcaton, t s necessary that both partes presuade each other to confrm the dentty. So, the user s known to the server, and the user s able to authentcate the server through the mutual authentcaton protocol [18]. C. Formal Securty Analyss Many proposed anonymous authentcaton protocols have been analyzed va ad hoc methods, but all of ther drawbacks have not been dscovered. Hence, there s no doubt that a formal method to dscover the prvacy and securty drawbacks s requred. A s capabltes and threat models are classfed n formal analyss. In ths case, the adversary s capable of not only eavesdroppng on the channel but also revealng secret data va data recovery through smart card power analyss attack [37]. A game-based model s appled to prove each attack. A tres to success n the desgned game. We llustrate that A succeeds n desgned game over Chen s scheme [16]. However, t fals n desgned games over our mproved scheme. Accordng to the protocol s attrbutes, a formal analyss method has

5 TABLE III CORRESPONDENCE BETWEEN MS AND HESES U S Intalzaton phase Secure channel Issue phase Publc channel Subscrpton phase Publc channel Hand-off phase Publc channel three functons [37], [33]: () the experment functon, () the success functon, and () the probablty functon. as follows: Experment functon (EXP): A performs the process to get the requred nformaton. Success functon (Succ): It specfes how successful A s n ganng mportant data. Probablty functon (Pr): A s probablty of success n the recovery of secret values. If the probablty of success s neglgble (ɛ), the latter protocol s secure aganst assumed A [33]. Succ P rotocol name A D. Adversary abltes H.P. ] ɛ In ths secton we descrbe A abltes. We allow A to acheve all parameters stored n smart card and database of servers, and t can eavesdrop the publc channel, to show the securty power of our allevated scheme. In the followng we descrbe A abltes [11], [36], brefly: A can eavesdrop the publc channel. A can acheve to parameters stored n smart card. A can acheve to verfcaton table whch s the servers has access to t. In the secton 4.3, we show our scheme s secure aganst all of smart card-based and stolen server attacks, as well as prvacy drawbacks such as lack of anonymty and traceablty. In the followng, after explanton of Chen s scheme [16] and ts weaknesses, we deprt our modfed scheme ndetals. IV. REVIEW OF THE CHEN ET AL. SCHEME In ths secton, we nvestgate Chen s scheme [16]. Ths scheme has 4 phases: ntalzaton, ssue, subscrpton and hand-off. After brefly explanng the procedure of ths protocol, we menton ts weaknesses. The Fgure 1 shows the structure of general moble pay-tv system. The Fgure 2 and the Table III depct the the phases of Chen s scheme and correspondence between MS and HESes. Intalzaton phase Users are regstered n DBS of HES through SAS/SMS, and ther ID s stored n DBS along wth N. If N = 0, the user s dentty and N = 1 s stored. These communcatons are carred out through a secure channel. To perform ths process, the followng steps are performed by U : U chooses ID, P W, and generates b. Then t computes P W B = h(p W b) and submts ID and P W B to S. S checks ID s already n ts database or not. Then t calculates: K = h(id P W B ) Q = h(ud x) P W B R = h(p W B ID ) h(y) Here UD = h(id N). S ssues the smart card contanng [K, R, Q] and sends t to U over secure channel. U stores b on smart card. The smart card contans [K, R, Q, b] Issue phase For each log n and acquston of servce from each HES n the network, the user should send a log n request and receves a Θ as a token. Ths token s used n the subscrpton phase. Km et al. has attacked ths phase [19]. The attack scenaro s as follows: A lstens to a user s sesson n the ssue phase and steals the user s smart card. A could obtan P from C = h(p CID T 1 n ) by usng the values of C, CID, T 1, and n from the ntercepted messages [19]. Due to the securty of the secure one-way hash functon, the probablty of retrevng P from C s neglgble (ε). As a result, A cannot mpersonate the user, and Chen s scheme s secure aganst stolen smart card attacks. In the followng we descrbe the ssue phase of Chen s scheme: U enters ID and P W and computes: P W B = h(p W b) K = h(id P W B ) P = Q P W B h(y) = h(p W B ID ) R Then t generates a random number n and calculates: R t = R h(y n ) CID = ID h(y T 1 n ) C = h(p CID T 1 n ) and sends m = [R, C, CID, T 1, n ] to HES. HES receves m at T 2 and performs the followng steps: Checks T 2 T 1 T (acc/rej). Then t calculates: ID = CID h(y T 1 n ) and verfes ID f s a vald user dentty. Else, t termnates the log n request. Then calculates: P = h(ud x) = h(h(id N) x) C = h(p CID T 1 n ) then t checks C = C, f they are equal HES accepts the log n request and calculates R t = R h(y n ). Now, t chooses Θ, then calculates: D = h(p CID T 2 n )

6 Fg. 1. The structure of CAS n a general moble pay-tv system [16] Fg. 2. The phases of the Chen s scheme [16] E = Θ h(p 0 kt2 kn ) HES broadcasts the mutual authentcaton message m2 = [D, E, T2 ]. U receves m2 and checks the T3 T2 T (acc/rej). Then t computes D0 = h(p kcid kt2 kn ) and checks D0 = D. Fnally, t calculates certfed token θ = E h(p kt2 kn ) as the sesson key to get Pay-TV servce. Subscrpton phase For communcatng wth HES usng the obtaned Θ communcated wth HES and calculated γ. Then, t communcated wth HES and set the authentcaton key. To calculate γ the followng steps should be done: U nputs ts ID and P W and computes: P W = h(p W b) h(id P W B ) K = h(id P W B ) P = Q P W B h(y) = h(p W B kid )

7 then t generates a random number n and calculates: R = θ h(y n ) CID = ID h(y T 1 n ) C = h(p CID T 1 n ) and sends m = [R, C, CID, T 1, n ] to HES. HES receves m at T 2 and checks T 2 T 1 T (acc/rej). Then calculates ID = CID h(y T 1 n ) and verfes f ID s vald user s dentty and computes P = h(ud x) = h(h(id N) x). Then t checks C = h(p CID T 1 n ) = C. If they are equal, HES accepts the log n request and computes θ = R h(y n ). HES chooses a random number γ for U and calculates: D = h(p CID T 2 n ) E = γ h(p T 2 n ) Fnally, t broadcasts m 2 = [D, E, T 2 ]. After recevng M 2 n T 3, U checks T 3 T 2 T and f s vald checks D = h(p CID T 2 n ) = D. Then calculates the certfed token γ = E h(p T 2 n ) to get Pay-TV servce. Hand-off phase In the hand-off phase for leavng the covered area of each HES and communcatng wth another HES, another γ should be calculated as γ and used for obtanng future servces from HES. In fact, n ths phase, the users are re-authentcated wthout relog n and set a new authentcaton sesson key to obtan new HES. To calculate new authentcaton sesson key, U should be done the followng steps: It generates a new random number n and computes: Z = θ h(y n ) CID = ID h(y T 1 n ) C = h(p CID n ) then t sends m = [Z, C, CID, T 1, n ] to HES HES receves m at T 2 and checks T 2 T 1 T, then calculates: ID = CID h(y T 1 n ) P = h(h(id N) x) and checks C = h(p CID T 1 n ) = C and f they are equal accepts the request. For verfyng U s request, t calculates θ = Z h(y n ) and chooses γ as authentcaton sesson key and calculates: D = h(p CID T 2 n ) F = γ h(p T 2 n ) and broadcasts the mutual authentcaton message m 2 = [D, F, T 2 ]. TABLE IV THE PRIVILEGE INSIDER ATTACK Algorthm1 Set up: Input: CID, T 1, & n receved from publc channel Output: ID Challenge: 1. Receves CID, T 1 & n from publc channel 2. Computes ID = CID h(y T 1 n ) Guess: 3. If ID = ID then Return 1 and accept ID as vald ID (user s ID) else return 0 U receves m 2 at T 3 and checks T 3 T 2 T and D = h(p CID T 2 n ) = D and f they are equal, t accepts HES s request of mutual authentcaton. Fnally U calculates γ = F h(p T 2 n ) as the authentcaton sesson key to obtan new HES s servce. A. The Weaknesses of Chen et al. Scheme In ths secton, we menton the weaknesses of Chen scheme, ncludng prvlege nsder attack (subsequent breakng user prvacy by the HES, means that the malcous HES can obtan the users dentty and traces them), and user traceablty. 1) Prvlege nsder attack: Accordng to the secton 3.2 and 3.4, we assume that the HESes are malcous. In the ssue phase of Chen protocol, all HESes have y, whch s the partcular key of the server, and therefore they can use t to calculate R t = R h(y n ) and ID = CID h(y T 1 n ). In fact, s clear, each HESes can calculate values such as R and ID through y. On the table IV (algorthm1), we descrbe ths process n detal. After obtan the real users dentty, Some users prvacy are broken as fellows: Breakng User Anonymty: The ID s not drectly located on the channel, users IDs can be accessed by a smple relaton usng the nformaton receved from the publc channel. To obtan the user s dentty, t s enough to calculate the ID = CID h(y T 1 n ) va the CID, n, and T receved from the publc channel and knowng y. In such a case, the user s ID can be retreved. Ths procedure s descrbed n Table IV (Algorthm1). Accordng to the Table IV, We prove that malcous HES succeeds n the desgned game. Therefore, A can retreve a real user ID smply wth a probablty of 1, so: Succ Chen A = 1. User Traceablty: Accordng to the procedure demonstrated n Table IV, malcous HES s able to fnd the user s dentty easly and grabs ID. Although, t can trace smlarly the user wth the algorthm1, cannot obtan that whch user re-authentcates wthout re-logn. But t can the user n the hand off phase s same user that has been n ssue phase. 2) User traceablty: Accordng to defnton of user traceablty mentoned n the secton 3.2, A should not get any

8 TABLE V THE USER TRACEABILITY Algorthm2 Set up: Input: CID, T 1, & n eavesdropped from publc channel Output: 0 or 1 Challenge: 1. Eavesdrops CID, T 1, & n from publc channel 2. Chooses randomly y 3. Computes ID = CID h(y T 1 n ) 4. Creates a set of ID s and stores t Guess: 5. Challenger has to calculate new ID lke lne 3 If the new calculated ID s n the created set return 1 (success), ID else return 0 (falure), ID was loged n on the server never loged n on the server nformaton about users dentty. It s clearly that A has no nformaton about y. wth havng y, A can obtan ID. But, there s no need to obtan the real user dentty. In ths attack, A wants to know the authentcated user s the same user that was prevously loged n to the server or not. To acheves ts goal, after eavesdroppng each CID, T 1, and n form publc channel, A chooses randomly unque y and calculates ID = CID h(y T 1 n ) as pseudonym of all users send log n request and stores all calculated ID s n ts memory. After a whle, A eavesdrops the publc channel and calculate ID and compares t wth stored set of ID s. If new calculated ID s n stored set, the user s n the authentcaton phase, s the same user whch A calculated ts pseudonym and stored ts ID. Now, A can guess ths user was loged n on the server or not wth probablty of 1. In fact t can classfy all users n two groups. The frst group: the group whch has anonymous members, but A knows the group members was loged n on the server. The second group: t has the anonymous members, but A knows the groups members never loged n on the server. We descrbe ths process on the Table V. 3) Soundness: In the ssue phase, subscrpton phase and hand-off phase of Chen s scheme the followng parameters are calculated by users: R = R t h(y n ) CID = ID h(y T 1 n ) R = Θ h(y n ) Z = Θ t h(y n ) Accordng to Chen s scheme, y s the secret key of the remote server stored n the hash functon [16]. So, the users have no ablty to calculate the mentoned parameters and they cannot use y. B. Our Improved Scheme In ths secton, we propose an mproved ssue of Chen scheme. Our mproved scheme has 4 phases whch we descrbe as below, and compare our changes wth the orgnal scheme. We represent the protocol s procedure ndetals n Tables VI to IX. Intalzaton Phase Whch s shown n Table VI, the server calculates R, and Q accordng to the Table VI after recevng ID, and P W B, and then stores R, Q and P W B n ts database. In the followng, we descrbe ths process n detals: U : U generates b as random number and chooses P W. Then t computes P W B = h(p W b) and sends P W B and ID to the pay-tv server. S: After recevng P W B and ID, S computes Q = h(id x) P W B and R = h(p W B ID ). Then t stores R, Q, and Q P W B n ts database and ssues smart card contanng [R, Q ]. S send ssued smart card to U. U : U stores b on smart card memory and keeps t secure. Issue Phase The moble user generates n as random number and calculates R va the P W, ID, and R and beng authentcated. Then, t calculates and sends a log n request to HES. In the next step, after the tme stamp and the user s ID verfcaton, the server calculates E and D and broadcasts m 2. The user also calculates Θ as the Authentcaton sesson key after checkng T and verfyng ts value. Ths sesson s shown n Table VII. The mentoned process s depcted n the followng: U : U nputs ts ID, and P W and computes: P W B = h(p W b) R = h(p W B ID ) Smart card checks R and verfes t. Then generates n and calculates: Kn = Q P W B n CID = Kn h(kn T 1 n ) C = h(q CID T 1 n ) R t = R Kn Smart card sends m 1 = [Kn, C, T 1, n ] to S. S: S receves m 1 at T 2 and checks T 2 T 1 T. Then t computes Kn n = Q P W B and searches t n ts database, then verfes t. Else, termnates ths phase. S checks C = h(q Kn h(kn T 1 n ) T 1 n ) = C and verfes t. Then t chooses the token Θ and stores t on DBS and computes: D = h(r Kn CID T 2 n ) E = Θ h(q T 2 n Q Kn) and broadcasts m 2 = [D, E, T 2 ]. U : U receves m 2 at T 3 and checks T 3 T 2 T. Then t checks D = h(r t CID T 2 n ) = D and calculates Θ = E h(q T 2 n P W B ) as authentcaton sesson key.

9 TABLE VI INITIALIZATION PHASE - OUR IMPROVED SCHEME U Chooses b as random number and nputs ID, P W & b Computes P W B = h(p W b) Stores random number b on smart card and smart card contans [R, Q & b] P W B,ID S Computes Q = h(id x) P W B R = h(p W B ID ) Stores (Q,R & Q P W B ) n DBS [R,Q ] Issues a smart card contanng [R, Q ] TABLE VII ISSUE PHASE - OUR IMPROVED SCHEME U [R, Q & b] S [Q, R, Q P W B ] Inputs ID & P W Computes P W B = h(p W b) Verfes R = h(p W B ID ) (acc/rej) Generates n and computes Kn = Q P W B n Computes CID = Kn h(kn T 1 n ) Receves message at T 2 C = h(q CID T 1 n ) R t = R Kn m 1 =[Kn,C,T 1,n ] m 2 =[D,E,T 2 ] Checks T 2 T 1 T Computes Kn n = Q P W B Checks Q P W B (acc/rej) C = h(q Kn h(kn T 1 n ) T 1 n ) (acc/rej) Receves m 2 at T 3 & checks T 3 T 2 T Chooses the token Θ & store n DBS Computes D = h(r t CID T 2 n ) (acc/rej) Computes D = h(r Kn CID T 2 n ) Authentcaton sesson Key Θ = E h(q T 2 n P W B ) E = Θ h(q T 2 n Q Kn) Subscrpton Phase Whch s shown n Table VIII. After Θ calculaton and enterng P W and ID, the user sends Kn new, C and CID usng the obtaned Θ along wth n new and T 1 to HES. If HES authentcates the user s ID, t wll broadcast m 2 = [D, E, T 2 ] whch contans γ. In the followng, We descrbe the subscrpton phase of our allevated scheme n detals: U : U nputs ts ID, and P W and computes P W B = h(p W b). Then verfes R = h(p W B ID ) and generates n new and calculates followng parameters: Kn new = Q P W B n new CID = Kn new h(kn new T 1 n new ) C = h(q CID T 1 n new ) R = Θ Kn new U sends m 1 = [Kn new, C, T 1, n new ] to HES. S: S receves m 1 at T 2 and checks T 2 T 1 T. Then computes Kn new n new = Q P W B and checks C = h(q CID T 1 n new ) = C. S calculates Θ = R Kn new and chooses γ as token for U. S computes: E new D new = h(r CID T 2 n new ) = γ h(r T 2 n new Q Kn new ) S broadcasts m 2 = [D new, E new, T 2 ]. U : receves m 2 at T 3 and checks T 3 T 2 T. Then t checks D new computes γ = h(r CID T 2 n new = E new h(r T 2 n new authentcaton sesson key to get servces. ) = D new and P W B ) as Hand-off Phase Any user who wants to leave a HES regon and log n to another HES regon have to go through ths step accordng to Table IX. Snce the user s n the prmary HES regon, no log n s requred. In fact, the user s re-authentcated wthout re-logn. When ths step s fnshed, the user obtans γ new for communcatng wth the new HES. The hand-off phase of our allevated scheme s shown on the Table IX. Accordng to the Table IX, S replaces P W B Q h(y R ) on P W B Q stored n ts database. C. Securty Analyss of Our Improved Scheme Ths secton s composed of three subsectons. After explanaton of the reason of our changes, analyze the mproved scheme both heurstcally and formally s analyzed. Now, we analyze the man changes n our mproved scheme compared wth Chen s scheme. depcted n Tables VI to IX. Removng N from DBS of HES: By storng Q, R, and P W B Q, the server does not need to store N anymore n DBS of HES. Each user authentcates anonymously after sendng the log n request for each HES n the authentcaton phase by HES wth stored parameters n DBS of HES. Removng h(y) from R: As n the Chen scheme, h(y) s the publc key of the server, and t s avalable to all users. Its presence or absence n R value does not guarantee any securty. Lack of usng y n the generaton phase: We do not use y to prevent user mpersonaton and user traceablty attacks. We used Q, and R nstead. Q and R are jont

10 TABLE VIII SUBSCRIPTION PHASE - OUR IMPROVED SCHEME U [R, Q & b] S [Q, R, Q P W B ] Inputs ID & P W Computes P W B = h(p W b) Verfes R = h(p W B ID ) (acc/rej) Generates n new and computes Kn new = Q P W B n new Computes CID = Kn new h(kn new T 1 n new ) Receves message at T 2 C = h(q CID T 1 n new ) R = Θ Kn new m 1 =[Kn new,c,t 1,n new ] m 2 =[D new,e new,t 2 ] Checks T 2 T 1 T Computes Kn new n new = Q P W B Checks Q P W B h(y R ) (acc/rej) C = h(q Kn new h(kn new T 1 n new ) T 1 n new ) (acc/rej) Θ = R Kn new Receves m 2 at T 3 & checks T 3 T 2 T Computes D new = h(r CID T 2 n new ) (acc/rej) Chooses token γ for U Computes γ = E new h(r T 2 n new P W B ) as Computes D new = h(r CID T 2 n new ) Authentcaton key to get servces E new = γ h(r T 2 n new Q Kn new ) TABLE IX HAND-OFF PHASE - OUR IMPROVED SCHEME Re-authentcaton wthout re-logn U [R, Q & b] S [Q, R, Q P W B ] Generates n new and computes Kn new = Q P W B n new Computes CID = Kn new h(kn new T 1 n new ) Receves message at T 2 C = h(q CID T 1 n new ) m 1 =[C,T,n new ] Checks T 2 T 1 T Computes Kn new n new = Q P W B Checks Q P W B h(y R ) (acc/rej) Replaces P W B Q h(y R ) on P W B Q C = h(q Kn new h(kn new T 1 n new ) T 1 n new ) (acc/rej) Chooses the new authentcaton sesson key γ new and m 2 =[D new,f,t 2 ] Receves m 2 at T 3 and checks T 3 T 2 T (acc/rej) computes D new = h(r CID T 2 n new ) Computes D new = h(r CID T 2 n new ) F = γ new h(r T 2 n new Q Kn new ) Computes γ new = F h(r T 2 n new P W B ) as new Authentcaton sesson key to obtan new HES parameter between U and HES. R and Q are stored n the user memory and DBS of HES produced by the server. 1) Heurstc Securty Analyss: In ths secton, we analyze the mproved scheme n heurstc form and show that our scheme s resstant to all prevalent attacks. Imagn A has possesson of sensetve nformaton stored on the card (wth power attack [18]). we prove that the scheme ressts a stolen smart card or stolen server. So, A cannot evade the users prvacy or create any nterference n communcatons. Stolen server database attack and stolen verfcaton table attack: By stealng the nformaton stored on the server, A acheves R = h(p W B ID ), Q = h(id x) P W B,P W B = h(p W b). We proof that A has no ablty to obtan senstve parameters: For x retreval, A needs to retreve the hash functon value, whch s mpossble gven the secure hash functon. Therefore, A must agan try to retreve ID frst. Then t can run brute force attack on x. So, ts success probablty s (1/2) (Length of x)+(length of ID). For P W retreval, A needs to retreve the hash functon value, whch s mpossble gven the secure hash functon. Therefore, A must agan try to retreve b frst. Then, t can retreval P W. So, ts success probablty s (1/2) (Length of b)+(length of P W). The other parameter whch A wants to retreve t, s ID stored n hash functon. For retreval t, A has to run brute force attack wth probablty of (1/2) Length of ID. Stolen smart card attack: By server stealng and after power analyss, A acheves Q = h(id x) P W B, R = h(p W B ID ), and random number b. b does not help A to obtan the senstve nformaton of terms R and Q, A also needs an exponental tme, to acheve them. Replay attack: There s the freshness of all sent flows on the channel and the new random number and tme stamp, so there s no possblty for ths attack. In fact, f A ntends to resend the prevous messages, t needs to access the term R. As mentoned n the prevous secton, exponental tme s needed to produce these parameters. It should be noted that A could access R by possessng the server, but f A s present at the hghest level of attack (stolen server) and t possesses the database of server, there s no reason for the replay attack. Impersonaton attack: For user mpersonaton, A needs a par of (ID, P W ) or t should be able to produce Kn, C, and CID. As explaned n the prevous sectons, n order to acqure or produce the desred parameters, A needs exponental tme and t cannot mplement the attack n polynomal tme. Breakng user anonymty and user traceablty at-

11 TABLE X CHANNEL EAVESDROPPING Algorthm3 EXPImpChen Hash Set up: Input: Kn, C, T 1, and n eavesdropped from publc channel Output: 1 (success) / 0 (falure) Challenge: 1. Eavesdrops Kn, C, T 1, and n from publc channel eavesdroppng 2. Computes Q P W B = Kn n where Q = h(id x) h(p W b) and P W B = h(p W b) 3. Selects randomly ID, x, P W, and b 4. Computes Kn n = h(id x ) h(p W b ) h(p W b ) Guess: 5. If Kn n = Kn n Accepts selected ID, x, P W, and b as ID, x, P W, and b Return 1 (success) else Return 0 (falure) tacks: Accordng to the Table VIII, t s clear that no user ID trace s placed drectly on the channel. The only place that the user ID has been used s CID = Kn h(kn T 1 n ) = Q P W B n h(q P W B n T 1 n ) = h(id x) h(p W b) h(p W b) n h(h(id x) h(p W b) h(p W b) n T 1 n ) that A s faced wth ths phrase wth the possblty of (1/2) Length of hash to retreve the user ID. If A possesses the database of a server, t can access the user s ID, but havng the user ID wthout any adverse nformaton s not suffcently useful. Card stealng and the card data retreval do not help A to acheve user s IDs. Regardng to protecton of user ID, the user s untraceable. A cannot calculate the user ID, so t cannot trace the user n the hand-off phase. Channel eavesdroppng attack: Accordng to the descrpton n prevous sectons, A cannot actvely attack by channel avodance and havng the transmtted nformaton on the channel. Also A cannot able to obtan user s ID va passve attack. 2) Formal Securty Analyss: In ths secton, we analyze our scheme n the formal model [37], [33], whch s shown n Tables X to XIII (Algorthms3 to Algorthms6). In the algorthms, we show that our allevated scheme s resstant aganst channel eavesdrop and stolen card attack and n random oracle model. By regardng the one-way hash functon (Note that the parameters represented by are generated by A). Channel eavesdroppng A obtans Kn, C, T 1, and n wth ntercepton. To recover the senstve nformaton about U, there must be a process n accordance wth the Algorthm3 that shown on the Table X. In the desgned game noted on the Table X, A eavesdrops Kn, C, T 1, and n from publc channel and tres to guess senstve nformaton. To pass the game successfully, t has to guess ID, x, P W, and b correctly. Snce the maxmum probablty of success s (1/2) nputes length. So, A s not able to guess senstve nformaton correctly TABLE XI STOLEN SMART CARD Algorthm4 EXPImpChen Hash Set up: Input: R, and b recovered from smart card memory by power attack Output: 1 (success) / 0 (falure) Challenge: 1. Recovers R, and b from smart card by power analsys attack 2. Selects randomly P W and ID as user s prvate key and ID 3. Computes R = h(h(p W b) ID ) Guess: 4. If R = R then Accepts P W and ID as user s prvate key and ID Return 1 (success) else Return 0 (falure) n polynomal tme. A ID A x A P W A b A hash ] ( 1 2 )ID length hash ] ( 1 2 )x length hash ] ( 1 W length )P 2 hash ] ( 1 2 )b length = Pr[EXP hash A ] ( 1 2 )(ID x PW b) length ɛ So, t can not guess mentoned parameters correctly. Stolen smart card attack If the smart card s stolen and corrupted by power analyss attack, A acqures stored data and tres to mpersonate the user or deceve the server. A ths process accordng to Tables XI and XII (algorthms 4 and 5). In ths secton, the nvader tres to recover 4 parameters. To ndcate that our mproved scheme s secure aganst ths attack, we desgn two games shown n the Tables XI and XII. In the games, A obtans R, Q, and b from smart card memory by power attack and runs the games mentoned n the algorthm 4 and 5. After recoverng R, and b, A tres to obtan the user s prvate key and ID whch are descrbed n Table XI ndetals. Accordng to the Table XI, A has no chance to obtan a user s prvate key and ID, so: A P W A ID A hash ] ( 1 W length )P 2 hash ] ( 1 2 )ID length = Pr[EXP hash A ] ( 1 2 )(ID PW ) length ɛ Accordng to the recoverng the server s prvate key whch s descrbed n Table X, f an output of the algorthm3 s 1 (but, we prove formally, ts

12 TABLE XII STOLEN SMART CARD TABLE XIII PRIVILEGE INSIDER ATTACK Algorthm5 EXPImpChen Hash Set up: Input: Q and b recovered from smart card memory by power attack, correct x, and P W whch are guess successfully from Table X Output: 1 (success) / 0 (falure) Challenge: 1. Recovers Q from smart card by power attack 2. Assumes that x, and P W are correct and P r[x = x P W = P W ] = 1 3. Selects randomly ID 4. Computes Q = h(id x) h(p W b) Guess: If Q = Q then Return 1 and accept ID else return 0 as user ID probablty s neglgble). It means we assume that A obtans the x, and P W successfully and tres to guess the ID. To proof formally that A has no ablty to obtan the user ID and breaks the user prvacy, we desgn a game and depct t on the Table XII. In the algorthm5 we assume that P r[x = x P W = P W ] = 1. However, A can obtan the user ID wth neglgble probablty. We note that: A We know that P r[x = x P W = P W ] ɛ. So, A has no chance to guess ID successfully. It s great anonymty level (A has the server s secret and user s password, but t cannot break the user prvacy and obtan user s ID). Stolen server attack Accordng our allevated scheme, R, and Q are parameters stored n user memory and server database. So, the desgned games n ths tem are smlar to prevous tem (stolen smart card attack) and there s no need to repeat the formal analyss for ths tem. Prvlege nsder attack Accordng to the secton 3.2 and the defnton of prvlege nsder attack, we assume that the servers are malcous and we want that they have no nformaton about user dentty. To prove that our allevated scheme s ressts to prvlege nsder attack, we desgn a game and show t on the Table XIII. We assumed that, we have secure one-way hash functon and the success probablty of obtan the hash argument s neglgble. So, we note for ths tem: A hash ] ( 1 2 )ID length V. COMPARISON In ths secton, we compare our mproved scheme wth other schemes n both securty features and performance cost. Algorthm6 EXPImpChen Hash Set up: Input: Kn, C, T 1, and n receved form publc channel Output: 1 (success) / 0 (falure) Challenge: 1. Receves Kn, C, T 1, and n form publc channel 2. Computes Kn n = Q P W B 3. Searches Q P W B and fnd Q, and R 4. Computes P W B = Q P W B Q (Now, the challenger has Kn, C, T 1, n, Q, R, and P W B ) Note: Challenger wants to obtan ID and t uses the parameters contan user ID Result: Challenger uses R, and Q to recover ID 5. Selects randomly ID 6. Computes Q = h(id x) P W B and R = h(p W B ID ) Guess: If Q = Q, or R = R Return 1 and accepts ID else return 0 as user ID Securty features Chen et al proposed a scheme for moble pay-tv [16], and then Km et al mproved t n 2012 aganst the stolen card attacks [19]. However, we mentoned n the hash P r[x = x P W prevous sectons, the mprovement seems to be wrong. = P W ] = 1] ɛ It has weaknesses such as breakng user prvacy, user traceablty and some forms of computng lke Chen s scheme. In ths secton, we showed n the Table XIV, the benefts of our allevated scheme compare wth that of Chen et al. Accordng to Table XIV, our mproved scheme has even more securty features than Sabznejad Farash s scheme [6] and our allevated scheme much more lghter the Farash s scheme. Also, our scheme s more secure than both Chen s scheme [16] and ts mprovement proposed n 2012 [19]. Our scheme s secure aganst stolen/lost smart card, mpersonaton, and stolen verfer attacks, but A can mpersonate users n Yeh L s scheme [10]. Performance cost In recent years, many anonymous athentcaton schemes for mobl pay-tv are proposed. Some of them only use of hash functon and sutable for lght devce. Accordng to [39], we assume the executon tme of the hash functon s 0.13µs and the executon tme of parng functon s µs. It s clearly that the parng-based schemes are much heaver and slower than the schemes use only hash functon (for example, the executon tme of our mproved scheme n ssue phase s 1.3µs and the executon tme of ssue phase n Wu et al [28] s about µs). We depct n the Table XV performance comparson of our mproved scheme wth other lght schemes.

13 TABLE XIV SECURITY FEATURES COMPARISON Securty Feature S1 S2 S3 S4 S5 S6 S7 Scheme Chen et al [16] (2011) Km et al [19] (2012) Yeh L [10] (2012) Sabznejad Farash [6] (2016) Our Improved Scheme Note: S1: Resstance aganst stolen/lost smart card attack and user mpersonaton attack S2: Resstance aganst stolen verfer or stolen verfcaton table and server mpersonaton attack S3: Resstance aganst DoA attack S4: Secure aganst prvacy preservng (compromse user s ID for other server, whch s not server that submtted user) S5: Secure aganst user traceablty S6: Provde mutual authentcaton S7: Resstance aganst prvlege nsder attack TABLE XV PERFORMANCE COMPARISON Feature Scheme P1 P2 P3 P4 P5 P6 P7 P8 Chen [16] Km [19] L [21] Our scheme Note: P1: The number of hash functon n regstraton phase P2: The executon tme of regstraton phase (µs) P3: The number of hash functon n ssue phase - user sde P4: The executon tme of ssue phase - user sde (µs) P5: The number of hash functon n ssue phase - server sde P6: The executon tme of ssue phase - server sde (µs) P7: The number of parameters stored n the smart card P8: The number of parameters send on publc channel n ssue phase VI. CONCLUSION To save energy, lghtweght devces have become customary. Lght protocols should help them to develop. However, we have to respect to ther securty and prvacy polces. one mportant aspect of prvacy s an anonymty fulflled by anonymous authentcaton protocols. Recently, a lot of anonymous authentcaton protocols have been proposed whch s based on secure hash functon or blnear parng transform. Hash-based protocols are lghtweght and quck to run. Our allevated protocol s more secure and lghter than mentoned protocols. Snce the lght devces such as sensors, smart cards, and smart phones are ncreasng, we predct lghtweght protocols and hash-based protocols wll be more popular to be pad. REFERENCES [1] Rayan, Nrmal Lourdh, and Chatanya Krshna. A survey on moble wreless networks. Internatonal Journal of Scentfcand Engneerng Research (2014). [2] Bhalla, Mudt Ratana, and Anand Vardhan Bhalla. Generatons of moble wreless technology: A survey. Internatonal Journal of Computer Applcatons 5.4 (2010). [3] B.KranKumar. Latest Trends n Wreless Moble Communcaton. Internatonal Journal of Computer Scence and Informaton Technologes [4] Armstrong, Mark. Competton n the pay-tv market. Journal of the Japanese and Internatonal Economes 13.4 (1999): [5] Lu, Xuefeng, and Yuqng Zhang. A prvacy-preservng acceleraton authentcaton protocol for moble pay-tv systems. Securty and Communcaton Networks 6.3 (2013): [6] Farash, Mohammad Sabznejad, and Mahmoud Ahmadan Attar. A provably secure and effcent authentcaton scheme for access control n moble pay-tv systems. Multmeda Tools and Applcatons 75.1 (2016): [7] Bra, Aurelan, Patrk Karrberg, and Per Andersson. TV n the moble or TV for the moble: challenges and changng value chans. Personal, Indoor and Moble Rado Communcatons, PIMRC IEEE 18th Internatonal Symposum on. IEEE, [8] Bakhtar, Shaghayegh, Ahmad Baraan, and Mohammad-Reza Khayyambash. Mobcash: A new anonymous moble payment system mplemented by ellptc curve cryptography. Computer Scence and Informaton Engneerng, 2009 WRI World Congress on. Vol. 3. IEEE, [9] Popescu, Constantn. An anonymous moble payment system based on blnear parngs. Informatca 20.4 (2009): [10] Yeh, Lo-Yao, and Woe-Junn Tsaur. A secure and effcent authentcaton scheme for access control n moble pay-tv systems. IEEE Transactons on Multmeda 14.6 (2012): [11] Banaean Far, Saeed, and Mahd R. Alagheband. Provable analyss and mprovement of smart card-based anonymous authentcaton protocols. Internatonal Journal of Communcaton Systems: e3542. [12] Yang, Guomn, et al. Unversal authentcaton protocols for anonymous wreless communcatons. IEEE Transactons on Wreless Communcatons 9.1 (2010). [13] ZHANG, De-dong, Xn-xn NIU, and Yong Peng. Anonymous authentcaton scheme of trusted moble termnal under moble Internet. The Journal of Chna Unverstes of Posts and Telecommuncatons 20.1 (2013): [14] Bapana, Surekha, K. Lakshm Narayana, and Chandra Sekhar Vorugunt. An energy effcent remote user authentcaton scheme preservng user anonymty. Contemporary Computng and Informatcs (IC3I), 2014 Internatonal Conference on. IEEE, [15] Yang J-H and Chang C-C. An ID-based remote mutual authentcaton wth key agreement scheme for moble devces on ellptc curve cryptosystem. ComputSecur. 2009; 28: [16] Chen, Ten-Ho, et al. An effcent anonymous authentcaton protocol for moble pay-tv. Journal of Network and Computer Applcatons 34.4 (2011): [17] Wang, Huaqun, and Bo Qn. Improved one-to-many authentcaton scheme for access control n pay-tv systems. IET nformaton Securty 6.4 (2012): [18] Chen, Ch-Tung, and Cheng-Ch Lee. A two-factor authentcaton scheme wth anonymty for mult-server envronments. Securty and Communcaton Networks 8.8 (2015): [19] Km, Hyunsung, and Sung Woon Lee. Anonymous authentcaton protocol for moble pay-tv system. Computer Applcatons for Securty, Control and System Engneerng (2012): [20] Camensch, Jan, Jean-Marc Pveteau, and Markus Stadler. An effcent