Computers and Electrical Engineering 88 (2020) 106888

Contents lists available at ScienceDirect

Computers and Electrical Engineering

journal homepage: www.elsevier.com/locate/compeleceng

An enhanced and provably secure multi-factor authentication

scheme for Internet-of-Multimedia-Things environments☆
Khalid Mahmood a, Waseem Akram a, Akasha Shafiq a, Izwa Altaf a,
Muhammad Ali Lodhi b, SK Hafizul Islam *, c
a
Department of Computer Science, COMSATS University Islamabad, Sahiwal Campus, 57000, Pakistan
b
Department of Computer Science, Dalian University of Technology, China
c
Department of Computer Science and Engineering, Indian Institute of Information Technology Kalyani, West Bengal 741235, India

A R T I C L E I N F O A B S T R A C T

Keywords: The Internet-of-Multimedia-Things (IoMT) opens new doors towards various contingencies to
Anonymity improve applications and services through efficient multimedia data usage. The ever-enlarging
Authentication content of multimedia information in an IoT system makes it a critical security concern. When­
Internet-of-Multimedia-Things
ever users access services or information through a public channel, he/she is exposed to numerous
Provable security
Random oracle model
security threats. Many security schemes have been introduced for IoMT environments to tackle
Elliptic curve the above-said concerns. Still, most of them do not fulfill all the security requirements of the IoMT
systems. Recently, Dhillon and Karla have presented an authentication scheme for the IoMT
environment. They have declared that the scheme is robust and can resist significant security
attacks. However, we noticed that Dhillon and Kalra’s scheme is susceptible to user masquerading
attacks and a stolen verifier attack. Besides, their scheme also violates the anonymity and
traceability of a user. This paper proposes a more secure remote user authentication scheme using
the elliptic curve cryptosystem for the IoMT system. We have evaluated our scheme formally
through the random oracle model. The informal security description proves that our scheme
provides resistance against significant security attacks. Further, the performance analysis reveals
that our scheme is more flexible, robust, and efficient than the relevant schemes.

1. Introduction

The developing environment of Internet-of-Things (IoT) foresees to connect sensors, small devices, and actuators for interacting
and exchanging the information with each other through the Internet. An IoT network can facilitate vast industrial applications
because it allows various devices to cooperate and interact with each other. Moreover, multiple IoT-devices produce various types of
Internet traffic from traditional scalar information (i.e., temperature, humidity, light, etc.) to the massive volume of multimedia data
(i.e., images, videos, audios, etc.). The advanced communication technologies (such as SIGFOX, 5G, and Zigbee) and infrastructural
technologies (i.e., edge, fog, and cloud computing) have been proposed to realize the IoT paradigm and its operation [1]. All such

☆
This paper is for regular issues of CAEE. Reviews processed and recommended for publication to the Editor-in-Chief by Associate Editor Dr.
Debiao He.
* Corresponding author.
E-mail addresses: [email protected] (K. Mahmood), [email protected] (W. Akram), akasha.shafiq75@gmail.
com (A. Shafiq), [email protected] (I. Altaf), [email protected] (M.A. Lodhi), [email protected] (S.H. Islam).

https://doi.org/10.1016/j.compeleceng.2020.106888
Received 17 June 2020; Received in revised form 13 October 2020; Accepted 15 October 2020
Available online 24 October 2020
0045-7906/© 2020 Elsevier Ltd. All rights reserved.
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

advancements carry out new opportunities at the cost of contemporary challenges. The foremost among them is the challenge of
security. In both wireless and wired networks of IoT applications and multimedia-based services, the primary concern is to maintain
adequate security [2].

1.1. Related works

Dhillon and Kalra [3] devised a scheme for remote user authentication for IoMT environments. Their scheme enables any legitimate
user to access the real-time sensor information through IoT nodes. However, the computational complexity of their scheme is low, and
it also resists potential threats. Tu et al. [4] proposed a smartcard-based authentication technique for session initiation protocol (SIP),
but later it is found vulnerable to the password guessing attack. Wu et al. [5] devised an authentication and key agreement scheme
using elliptic curve cryptography (ECC); however, the scheme has the vulnerability against a password guessing attack. Dhillon and
Kalra [6] devised an ECC and biometric-based authentication scheme for the health-care in which patient data can be accessed securely
by a medical professional from a cloud-assisted IoT network. Sharma and Kalra developed a couple of lightweight key agreement
schemes [7,8] for the applications of e-governance in smart-cities. However, these schemes are found prone to user masquerading,
password guessing, and smartcard stolen attack.
Irshad et al. [9] put forwarded a remote user authentication scheme using ECC for SIP. But this scheme can not resist smartcard
stolen and user masquerading attacks. Yeh et al. [10] devised a SIP using ECC and smartcard. However, their scheme has no potential
to resist the server impersonation, stolen smartcard, user impersonation, and offline password guessing attacks. In 2012, Chen et al.
[11] put forwarded a three-factor biometric-based authentication scheme for mobile devices. In the same year, Truong et al. [12]
claimed that Chen et al.’s scheme is vulnerable to forgery and replay attacks. After that, they proposed an enhanced scheme. However,
both of these schemes in [11,12] are criticized by Khan et al. [13] and found that they are prone to offline password guessing attack. To
solve the identified issues in [11,12], Khan et al. proposed an enhanced and flexible scheme.
Chuang et al. put forward a three-factor authentication scheme [14] in 2014, and they claimed that their scheme is immune to
numerous threats. Unfortunately, Mishra et al. [15] analyzed that the scheme in [14] is prone to masquerading, smartcard stolen, and
server spoofing attacks. Afterward, Mishra et al. designed a more secure and efficient three-factor authentication scheme using bio­
metric and smartcard. They analyzed that their scheme has the potential to resist all security threats. However, Lu et al. [16,17]
analyzed that server masquerading and spoofing attacks are still present in [15]. As a remedy, Lu et al. removed the identified flaws
and proposed two improved authentication schemes for multi-server architecture. Nevertheless, both of Lu et al.’s schemes are
analyzed insecure by Chaudhry [18], and they identified that these schemes could not resist various known attacks. They noticed that
the scheme in [16] is prone to the incorrect notion of user anonymity, and it is also insecure against masquerading attack, whereas the
scheme in [17] is insecure against user masquerading attack. Then, Chaudhry presented an improved scheme that promises to offer
enhanced security by maintaining almost the same computation and communication overhead [16].
Recently, an anonymous remote user authentication scheme is developed by Chandrakar and Om [19] for multi-server infra­
structure. Later, their scheme is found prone to the server-masquerading attack, and it did not offer perfect forward secrecy. This article
scrutinized Dhillon and Kalra’s scheme [3] and observed that their scheme is insecure against user masquerading and stolen verifier
attacks. Furthermore, their scheme does not offer the untraceability and anonymity of the user. Thus, we propose an elliptic
curve-based enhanced and secure authentication scheme that has excellent potential to resist the attacks present in [3]. Furthermore,
our scheme resists various major attacks and offers added security features, such as user anonymity and untraceability.

1.2. Motivations and contributions

We can accomplish the prerequisite for secure and reliable access to the services or resources within Internet-of-Multimedia-Things
(IoMT) environments through user identity authorization. This method is known as authentication, which helps to validate every
user’s identity, and afterward, the user is permitted to access the protected resource [20]. Therefore, various authentication schemes
were evolved in the last three decades. The biometric, smartcard, and password are three key factors that are generally involved in
achieving authentication. The schemes based on password and smartcard are not fully robust to resist the primary attacks. The third
factor is the user’s biometric imprint, which offers enhanced security to the users. The biometric is known to be difficult to forge but
easy to use due to every user’s unique natural features. Moreover, a user does not need to remember his/her biometric, unlike a
complicated and long password. Therefore, efficient and secure authentication schemes can be devised using multiple factors like
biometric, password, and smartcard [3,21]. Hence, we have motivated to propose an authentication scheme with three-factors for
resisting the well-known attacks in IoMT environments. A brief description our the significant achievements are stated as follows:

• We have designed a secure and robust three-factor authentication scheme for IoMT environments, where a user’s biometric plays a
role in verifying the user’s identity.
• We have considered the random oracle model (ROM) to examine the formal security, which assured that our scheme provides the
robustness against well-known attacks. This analysis shows that an adversary can not disclose the confidentiality of the user’s
credentials, such as password, biometric, session key, etc.
• We have provided some comparative analyses to highlight our scheme’s supremacy against the related schemes concerning security
features, attack resistance, communication, storage, and computational costs.

2
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

1.3. Organization of the paper

The rest of this paper is structured as follows. Preliminaries are discussed in Section 2. Details of Dhillon and Kalra’s scheme [3] are
described in Section 3. The cryptanalysis of Dhillon and Kalra’s scheme is put forwarded in Section 4. Section 5 describes our scheme.
Section 6 describes formal and informal security analysis of our scheme. The performance analysis is given in Section 7. The conclusion
of this article is presented in Section 8.

2. Preliminaries

This section briefly describes the basic concepts of the one-way hash operation, elliptic curve cryptography, and a fuzzy extractor
tool.

2.1. One-way hash function

A one-way hash function is defined as h : U → V, where U = {0, 1}∗ and V = {0, 1}l . It is worth to note that h(⋅)is a deterministic
algorithm, which takes a binary string from Uof arbitrary length as input and generates a binary string of Vof size lbits as output [22].
The collision-resistant property of h(⋅)is described as follows:
Definition 1. Assume that 𝒜had is the advantage of an adversary Aad in finding the collision in h(⋅). Therefore, 𝒜had (T) = Pr [(u, u )
′

⇐R 𝒜ad : u ∕= u , h(u) = h(u )]), whereas Pr [E]describes the probability of occurring of an event Eand (u, u )⇐R 𝒜ad shows that
′ ′ ′

𝒜ad selects the pair (u,u )from Uuniformly at random. In this scenario, 𝒜ad is allowed to be probabilistic and calculate the probability of
′

advantage over the random choices made by him/her with the execution time T. h(⋅)is considered as collision-resistant, if 𝒜had (T)is
negligible [22].

2.2. Threat model

By using the Dolev-Yao’s basic threat model [22] and side-channel attack threat model proposed in [23], this section describes the
following assumptions:

• 𝒜ad can be an outsider user (adversary) or a malicious insider user (registered user) of the system.
• 𝒜ad can modify, replay, and remove any message transmitted over a public channel.
• 𝒜ad cannot alter, replay and delete the information transmitted over a secure channel.
• 𝒜ad can extract the credentials from a lost or stolen smartcard by any reverse engineering process through observing the power
consumption of the smartcard.
• 𝒜ad can intercept or eavesdrop a message exchanged among a user and a server over a public channel.
• If 𝒜ad is an insider user, who is maintaining the server, can access the verifier stored in the database and extract the parameters from
it.

2.3. Biometric-based fuzzy extractor

Fuzzy extractor addresses non-uniformity and error-tolerance of a biometric template. It is represented by the tuple (ℳ,e,s,t,l). A
fuzzy extractor extracts a secret string ϑof s-bit length from a biometric input iwith some error-tolerance, where the lowest entropy of
distribution Dis denoted by eon the metric space ℳ, and tis the threshold value of error-tolerance. The extracted data ϑremains the
same if the given input i changes within the limit, but still i ≈ i. The fuzzy extractor produces an output string B, which is publicly
′ ′

Fig. 1. Overview of a fuzzy extractor function.

3
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

known, and it helps in recovering the value ϑfrom inputted noisy biometric data i . However, ϑremains secure, even if Bis given because
′

of its uniform random characteristics. The Fig. 1demonstrates the procedure of a fuzzy extractor. The fuzzy extractor has two algo­
rithms: (i) the generation method Gen,and (ii) the reproduction method Rep. The characteristics of these algorithms are stated below:

• A probabilistic generation procedure Gen(⋅)produces a secret string ϑand a public string B, for a input biometric i ∈ ℳ. For a
distribution Don ℳof e, if Gen(i) → 〈ϑ, B〉, SD(〈ϑ, B〉, 〈Us , B〉) ≤ l, where SDdonates the statistical distance, Us represents the rect­
angular distribution on the strings of s-bit length and lrepresents the analytical distance between given two distributions (〈ϑ,B〉,〈Us ,
()
B〉)with s = e − 2log 1l + R(1).
• The reproduction procedure Rep(⋅)has the ability to recover the secret string ϑfrom the publicly known string B, and a noisy input
biometric i that is close to i. For all i,i ∈ ℳsatisfying dis(i,i ) ≤ t,if Gen(i) → 〈ϑ,B〉then Rep(i ,B) = ϑ. The fuzzy extractor is assumed
′ ′ ′ ′

to be secure and efficient, if it is hard to recover or guess the secret string ϑfrom the publicly known string B. A fuzzy extractor (ℳ,e,
()
s, t, l)that is strong, has the ability to extract s = e − 2log 1l + R(1)nearly arbitrary bits. Thus, the success probability of an ad­

versary of guessing the biometric data is approximately 21s .

2.4. Elliptic curve cryptography (ECC)

Over the finite field Zp , a non-singular elliptic curve Ep (α, β)is defined as follows:
( )
y2 mod p ≡ x3 + αx + β mod p (1)

where α, β ∈ Zp , (4α3 + 27β2 ) ∕≡ 0(mod p), and pis a large prime number. The points on Ep (α, β)formulates a commutative group over
addition and this group can be defined as G = {(x, y) : x, y ∈ Zp and (x, y) ∈ Ep (α, β)} ∪ {ℴ}, where ‘‘ℴ′′ is called “point at infinity”. An
elliptic curve Ep (α, β)over Zp has ppoints on it. The Hasse theorem assures that the number of points, which is denoted as #E, on Ep (a,
√̅̅̅ √̅̅̅
b)satisfies the following inequality: p + 1 − 2 p ≤ #(Ep (α, β)) ≤ p + 1 + 2 p.
The elliptic curve point addition operation is defined as follows. Let P = (x1 ,y1 )and Q = (x2 ,y2 )be two points on elliptic curve (1),
with P ∕= Q, then R = (x3 , y3 ) = P + Qis calculated as x3 = (λ2 − x1 − x2 ) (mod p), and y3 = (λ(x1 − x3 ) − y1 ) (mod p), where
⎧y − y
2 1
⎪
⎪ (mod p), if P ∕
=Q
⎪
⎨ x2 − x1
λ=
⎪
⎪ 3x2 + α
⎪
⎩ 1 (mod p), if P = Q
2y1
The elliptic curve scalar point multiplication operation adds a point Pto itself ntimes, i.e., nP = P + P + ⋯ + P(ntimes). The elliptic
curve point doubling operation on the curve (1)where a point Pis added to itself to find another point Qon (1), i.e., Q = 2P = P + P. It
means, the tangent at Pcuts the curve (1)at − Q. The additive inverse of point P = (x1 ,y1 )on the curve (1)is − P = (x1 , − y1 ),i.e., − Pis
an image of Pwith respect to x-axis. If P = (x1 ,y1 )and Q = (x2 ,y2 )be points on (1)then P + Q = ℴimplies that x1 = x2 and y2 = − y1 .
Furthermore, P + ℴ = ℴ + P = P,for all P ∈ Ep (a,b). The point subtraction is adding a point Pwith its additive inverse − P,i.e., P + ( −
P) = P − P = ℴ. It means that the line joining Pand − Pmeets the curve (1)at ℴ. The order of a point Pis a smallest positive integer ufor
which uP = ℴ.
Definition 2. (ECDLP (Elliptic curve discrete logarithm problem) It is computationally easy to calculate Q = kP,where k ∈ Zp and P ∈
Ep (α, β). However, it is computationally hard to determine kfrom Q = kPfor a given pair (P, Q).

Definition 3. (CDHP(Computational Diffie-Hellman problem)) Given the tuple (P, cP, dP) ∈ Ep (α, β), it is computationally hard to

Table 1
Notations.
Notation Elucidation Notation Elucidation

𝒰a th
a User SC Smartcard of Ua
Usera Identity of Ua Pwa Password of Ua
Ba Biometric of Ua 𝒮j jth Server
Pubj Public key of 𝒮 j Prij Private key of 𝒮 j
x Secret value selected by 𝒮 j p, q Prime numbers
Ep (α, β) Elliptic curve Fq Finite Field
Gen(⋅), Rep(⋅) Fuzzy extractor functions h(⋅) One-way hash function
𝒮𝒦 Session key 𝒜ad Adversary
‖ Concatenation operator ⊕ XOR operator
⟶ Public Channel ⟹ Secure Channel

4
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

calculate cdPwithout knowing c, d ∈ Zp , where Zp = {ω : 0 < ω < p, gcd (ω, p) = 1}.

2.5. Notation table

The notations that are used throughout in this article are shown in Table 1.

3. Review of Dhillon and Kalra’s scheme

We have reviewed the scheme proposed in [3] in this section, which comprises of two entities, such as user 𝒰 a and server 𝒮 j . This
scheme involves five phases: (1) Registration phase, (2) Login phase, (3) Authentication phase, (4) Password update phase, and (5)
Smartcard revocation phase, respectively. These phases are briefly described below:

3.1. Registration phase

Any new user, who is willing to interact with the server for the first time, must register with the server. This phase (see Fig. 2)
comprises the following steps:

1: In order to register himself/herself, 𝒰 a chooses his/her identity Usera ,password Pwa ,biometric Ba ,and a random number a1 . Then,
𝒰 a calculates: Gen(Ba ) = (η, λ)and Aa = h(Pwa ‖a1 ‖ η). Next, 𝒰 a sends the registration message {Usera , Aa }to 𝒮 j through a secure
channel.
2: On receiving {Usera , Aa }from 𝒰 a , 𝒮 j checks if Usera is already available in the verifier table. If Usera is found in the verifier table,
then Sj requests 𝒰 a to choose another unique identity. However, if Usera is not found in the verifier table, then Sj generate a secrete
identity SIDand computes: Ca = h(Usera ‖ N ‖ SID ‖ Prij ),Da = Ca ⊕ Aa and PIDa = h(Usera ‖ Prij ). Here, PIDa is a masked identity of
𝒰 a . Next, 𝒮 j embeds the parameters {PIDa ,Da ,h(⋅),p,q}in a new smartcard SCand gives it to 𝒰 a via a secure channel. 𝒮 j also keeps the
tuple (N, SID, Usera )of 𝒰 a in a verifier table.
3: After receiving the SC,𝒰 a computes la = a1 ⊕h(Usera ‖ Pwa ‖ η). Next, 𝒰 a embeds the recently computed values {λ,Aa ,la }in SC,and
now SCholds {PIDa , Da , h(⋅), p, q, λ, Aa , la }.

3.2. Login phase

In this phase (see Fig. 3), 𝒰 a login into 𝒮 j by executing the following steps:

1: 𝒰 a insert his/her SCinto the card-reader and inputs Usera , Pwa , and Ba .
2: Firstly, SCextracts ηand a1 as Rep(Ba , λ) = η, and a1 = la ⊕h(Usera ‖ Pwa ‖ η), respectively. Next, SCverifies whether
Aa = h(Pwa ‖a1 ‖ η)holds, and this equation can only hold true if 𝒰 a inputs the correct login credentials; otherwise, the login request
?

is rejected. If Aa = h(Pwa ‖a1 ‖ η), SCcomputes Ca = Da ⊕ Aa .

3: After that, SCselects a random number a2 ,and calculates Ru = a2 P,Authu = h(PIDa ‖ Usera ‖ Ru ‖ Ca ‖ TS1). Thereafter, SCsends
the login request message {PIDa , Ru , Authu , TS1}to 𝒮 j over a public channel.

Fig. 2. Dhillon and Kalra’s registration phase.

5
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

Fig. 3. Dhillon and Kalra’s login phase.

3.3. Authentication phase

In this phase (see Fig. 4), 𝒮 j and 𝒰 a authenticate each other. If they mutually verify each other, then a common session key is
computed between them. The computed session key will be used to achieve a secure channel for subsequent communications.

1: On receiving the login message {PIDa , Ru , Authu , TS1}from 𝒰 a , 𝒮 j primarily verifies the freshness of the request message by
validating the timestamp TS1. After validating TS1, 𝒮 j verifies PIDa from the verifier table. The login request will be accepted if
PIDa is matched with the value stored in the verifier table, then, 𝒮 j will extract the parameters (N,SID,Usera )along with PIDa from its
verifier table. Next, 𝒮 j calculates Ca = h(Usera ‖ N ‖ SID ‖ Prij )and thereafter, verifies whether
Authu = h(PIDa ‖ Usera ‖Ru ‖Ca ‖ TS1)holds, to validate the legality of 𝒰a. 𝒰 a is authenticated if Authu =
?

h(PIDa ‖ Usera ‖Ru ‖Ca ‖ TS1)holds true, otherwise, the session will be terminated.
2: Afterwards, 𝒮 j chooses a number b1 at random, computes Ej = b1 P, Fj = b1 Ru , 𝒮𝒦 = h(Usera ‖ Fj ‖ Ca ‖ TS1 ‖ TS2), and Auths =
h(Usera ‖ 𝒮𝒦 ‖Ru ‖Ej ‖ TS1 ‖ TS2). Then, 𝒮 j sends the challenge message {Ej , Auths , TS2}to 𝒰 a , where TS2is 𝒮 j ’s current time.
3: After receiving {Ej , Auths , TS2}from 𝒮 j , 𝒰 a firstly verifies the freshness of the message by validating TS2. After validating TS2,
𝒰 a calculates the shared secrete Fa = a2 Ej ,and the session key as 𝒮𝒦 = h(Usera ‖ Fa ‖ Ca ‖ TS1 ‖ TS2). After the calculation of 𝒮𝒦,
𝒰 a checks the legality of 𝒮 j by validating Auths = h(Usera ‖ Sk ‖Ru ‖Ej ‖ TS1 ‖ TS2). If it holds, 𝒰 a accepts 𝒮𝒦as the shared session key.
?

Fig. 4. Dhillon and Kalra’s authentication phase.

6
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

Fig. 5. Dhillon and Kalra’s password change phase.

3.4. Password change phase

This phase is invoked by the user’s own choice whenever he/she wishes to change his/her old password to a new password (see
Fig. 5). For this purpose, 𝒰 a first needs to undergo the validation process with Sj . Afterwards, 𝒰 a can change his password Pwa . The
details of this phase are given below:

1: Firstly, 𝒰 a inserts his/her SCinto smartcard reader. Then, 𝒰 a inputs Usera , Pwa and Ba along with a new password Pwnew a .
2: Firstly, the authenticity of input credentials (i.e., Usera ,Pwa and Ba ) are verified through authorization procedure, as described in
step (1) of the login phase. The authorization of input credentials is necessary because it verifies whether a legitimate 𝒰 a is
attempting to update his/her password or not. If 𝒰 a is found to be a valid user, then SCfurther proceeds the execution of this phase.
3: Next, SCengenders the procedure to calculate Anew new
a = h(Pwa ‖a1 ‖ η), Da
new
= Ca ⊕ Aa ⊕ Anew
a and la
new
= a1 ⊕h(Usera ‖ Pwnew
a ‖ η).
Note that SCcalculates a1 = la ⊕h(Usera ‖ Pwnew a ‖ η)in second step of this phase. SCreplace {D ,l
a a ,Aa }with {Dnew new new
a ,la ,Aa }and thus it
finally holds {PIDa , Dnew new new
a , h(⋅), p, q, λ, Aa , la }.

3.5. Smartcard revocation phase

If the smartcard SCof a registered user 𝒰 a is stolen or lost, he/she can utilize this phase to revoke it. The smartcard revocation phase
is further illustrated in Fig. 6.

4. Cryptanalysis of Dhillon and Kalra’s scheme

The scheme proposed by Dhillon and Kalra is susceptible to the following attacks.

Fig. 6. Dhillon and Kalra’s Smartcard revocation phase.

7
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

Fig. 7. System Setup for IoMT.

4.1. Stolen verifier attack

The verifier table, which is maintained in the database of 𝒮 j is used to extract the tuple (N, SID, Usera )corresponding to PIDa .
Moreover, PIDa is stored in SCof 𝒰 a and also sent in every request message, which can be easily accessed. Consequently, an adversary
𝒜ad can obtain 𝒰 a ’s identity Usera along with the values Nand SIDform the verifier table. Therefore, their scheme is susceptible to the
stolen verifier attack.

4.2. Violation of user anonymity and traceability

Dhillon and Kalra’s scheme does not offer user anonymity, as Usera can be easily extracted from the verifier table using PIDa as
shown in Section 4.1. Moreover, the login request message includes PIDa ,which remains the same for every session. An authentication
scheme is said to offer user untraceability if 𝒜ad cannot identify whether the same user establishes two sessions or not. In Dhillon and
Kalra’s scheme, 𝒰 a sends PIDa as his pseudo-identity, which is fixed for every session. Thus, 𝒜ad can decide whether two different
sessions are established by the same user or not, by comparing the pseudo-identities sent in each login message. Therefore, this scheme
is not offering user anonymity and untraceability.

4.3. User masquerading attack

The scheme of Dhillon and Kalra is also susceptible to user masquerading attack. If an adversary 𝒜ad attempts to masquerade Usera ,
he/she will accomplish the following steps:

Step 1: Assume that 𝒜ad extracts the information {PIDa , Da , h(⋅), p, q, la , Aa }stored in 𝒰 a ’s SCby using the power analysis. 𝒜ad then
calculates Ca = Da ⊕ Aa ,R∗a = aPand Authu = h(PIDa ‖ Usera ‖R∗u ‖Ca ‖ TS1∗ ),where Usera is available to 𝒜ad from the verifier table as
discussed in Section 4.1.
Step 2: Then, 𝒜ad sends the request message {PIDa , R∗u , Authu , TS1∗ }to 𝒮 j .

Fig. 8. Proposed registration phase.

8
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

Step 3: After receiving {PIDa , R∗u , Authu , TS1∗ }, 𝒮 j examine the authenticity of the timestamps. If the timestamps are not valid, the
session will be aborted. Otherwise, 𝒮 j extracts (N, SID, Usera )from the verifier table corresponding to PIDa , and then computes Ca =
h(Usera ‖ N ‖ SID ‖ Prij ). 𝒮 j checks whether Authu = h(PIDa ‖ Usera ‖R∗u ‖Ca ‖ TS1∗ )holds or not. If is false, the session will be aborted,
?

else 𝒮 j chooses a random number b1 , and computes Ej = b1 P, Fj = b1 R∗u , 𝒮𝒦 = h(Usera ‖ Fj ‖ Ca ‖ TS1∗ ‖ TS2)and Auths =
h(Usera ‖ 𝒮𝒦 ‖R∗u ‖Ej ‖ TS1∗ ‖ TS2). Then, 𝒮 j sends the challenge message {Ej ‖ Auths ‖ TS2}to 𝒰 a .
Step 4: Assume that 𝒜ad captures the message {Ej ‖ Auths ‖ TS2},and computes Fa = a2 Ej ,𝒮𝒦 = h(Usera ‖ Fj ‖ Ca ‖ TS1∗ ‖ TS2)and
Auths = h(Usera ‖ 𝒮𝒦 ‖R∗u ‖Ej ‖ TS1∗ ‖ TS2). 𝒜ad keeps 𝒮𝒦as shared key with 𝒮 j . Hence, 𝒜ad can masquerade 𝒰 a to 𝒮 j .

Therefore, the above analysis proved that Dhillon and Kalra’s scheme is weak against this type of user masquerading attack.

5. Proposed scheme

We described the proposed scheme in detail in this section. Initially, the system setup is executed for IoMT environments to
elaborate on the interacting entities and the underlying system. Our scheme withstands all the flaws present in Dhillon and Kalra’s
scheme, i.e., user masquerading attack, insider attack, violation of user anonymity, and untraceability. Likewise, to Dhillon and Kalra’s
scheme, our scheme also involves the following five phases: (1) Registration phase, (2) Login phase, (3) Authentication phase, (4)
Password update phase, and (5) Smartcard revocation phase, respectively. Figs. 8–12 demonstrates the various stages of the proposed
scheme, while the description of the proposed scheme is stated below:

5.1. System setup

An IoT system is composed of interconnected tiny, smart digital devices and capabilities, such as unique identifiers and the ability
to transfer the data over any unreliable networks. IoMT is a paradigm for facilitating the heterogeneous smart multimedia objects to
interact with other objects connected via the Internet to promote multimedia applications globally. The system setup for IoMT is
depicted in Fig. 7. We designed our scheme for IoMT environments in which it includes three entities: a user, a server of multimedia
application, and a mobile device of the user, such as a smart-phone, tablet or laptop, etc. The mobile device of the user serves as a sink
and gets multimedia data from a multimedia application server. The multimedia server keeps secret the information shared by a
registered user over a secure channel with it. The multimedia application server is assumed to be a trusted entity responsible for
various tasks, such as publishing system parameters, producing authentication parameters for system users, and initializing the sys­
tem’s environments.

5.2. Registration phase

When a user interacts with the system for the first time, she/he firstly registered herself/himself to the server. This phase elaborates
on the process to show how a user registers herself/himself into the server. In this phase, 𝒰 a and 𝒮 j perform all the steps stated below:

1: 𝒰 a selects his/her identity Usera , password Pwa , and biometric impression Ba . 𝒰 a selects a number a1 ∈ Zp uniformly at random,
and calculates Gen(Ba ) = (η, λ)and Aa = h(Pwa ‖a1 ‖ η). After that, 𝒰 a sends a registration message {Usera , Aa }to 𝒮 j on a private
channel.
2: vAfter receiving {Usera , Aa }from 𝒰 a , 𝒮 j calculates Ca = h(Usera ‖ Prij ), Da = Ca ⊕ Aa , Ya = h(Usera ‖Ca ‖ Aa ). Here Prij ∈ Zp is
denoted as the private key of 𝒮 j and Pubj = Prij Pis the corresponding public key of 𝒮 j .

Fig. 9. Proposed login phase.

9
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

Fig. 10. Proposed authentication phase.

Fig. 11. Proposed password change phase.

3: Furthermore, 𝒮 j will store the parameters {Da , Ya , Pubj , q, p, h(⋅)}in a fresh smartcard SCalong with xand delivers them to
𝒰 a through a private channel.
4: After receiving the SC, 𝒰 a computes la = (a1 ‖ x)⊕h(Usera ‖ Pwa ‖ η)and stores {la , λ}in SC. Finally, SCholds {Da , la , λ, Ya , Pubj , q, p,
h(⋅)}.

5.3. Login phase

A user 𝒰 a registered to the server 𝒮 j must execute the login phase as follow:

1: 𝒰 a inserts her/his SCinto the card-reader and inputs Usera , Pwa , and Ba into it.
2: SCcomputes Rep(Ba ,λ) = η. By utilizing η,SCobtains (a1 ‖ x) = la ⊕h(usera ‖ Pwa ‖ η),and then computes Aa = h(Pwa ‖a1 ‖ η),Ca =
Da ⊕ Aa . After that, SCverifies whether Ya = h(Usera ‖Ca ‖ Aa )holds or not. If the condition is true, then the login credentials of 𝒰 a is
?

valid, otherwise, SCrejects the login request.

3: SCselects a number a2 ∈ Zp uniformly at random, and calculates Ru = a2 P, PIDa = Usera ⊕ (a2 Pubj )x , Authu =
h(PIDa ‖ Usera ‖Ru ‖ Ca ). Next, SCsends the login message {PIDa , Ru , Authu }to 𝒮 j through a public channel.

10
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

Fig. 12. Proposed smartcard revocation phase.

5.4. Authentication phase

In this phase, 𝒮 j and 𝒰 a verify each other and calculate the session key. This phase is described as follows:

1: After receiving the login message {PIDa , Ru , Authu }from 𝒰 a , 𝒮 j extracts the identity Usera of 𝒰 a as Usera = PIDa ⊕ (Prij Ru )x . Next,
𝒮 j computes Ca = h(Usera ‖ Prij ). Afterwards, 𝒮 j verifies whether Authu = h(PIDa ‖ Usera ‖Ru ‖ Ca )holds or not. If the condition is true,
?

𝒮 j validates 𝒰 a as a legitimate user; else, aborts the session.

2: If 𝒰 a is successfully authenticated, 𝒮 j then chooses number b1 ∈ Zp uniformly at random, calculates Ej = b1 Pand Fj = b1 Ru . Next,
𝒮 j further calculates 𝒮𝒦 = h(Usera ‖ Fj ‖ Ca ), Authj = h(Usera ‖ 𝒮𝒦 ‖Ru ‖ Ej ), and sends the challenge message {Ej , Authj }to 𝒰 a over a
public network.
3: On receiving the challenge message {Ej , Authj }from 𝒮 j , 𝒰 a calculates Fa = a2 Ej , 𝒮𝒦 = h(Usera ‖ Fa ‖ Ca ), and checks whether
Authj = h(Usera ‖ 𝒮𝒦 ‖Ru ‖ Ej )holds or not. If the condition is true, then it is confirmed that 𝒰 a and 𝒮 j successfully mutually
?

authenticate each other and share a common secret session key 𝒮𝒦among themselves. Otherwise, 𝒰 a terminates the session.

5.5. Password change phase

This phase is invoked by a registered user himself/herself whenever he/she wishes to change his/her password. For this purpose,
𝒰 a first needs to undergo the validation process with 𝒮 j . Afterward, 𝒰 a can change his/her old password Pwa to a new password Pwnew
a .
Now, we provide the details of this phase as follows:

1: Firstly, 𝒰 a inserts her/his SCinto the card-reader. Then, 𝒰 a enters Usera , PWa , Ba , and a new password PWanew .
2: Afterwards, SCchecks the authenticity of Usera ,PWa ,and Ba by performing the verifications as done in step 2of the login phase. It
is indispensable need to examine whether a legitimate user requires to alter his/her old password or not. If the verification is
correct, then the password change phase will be executed by SC.
3: SCgenerates a number anew 1 ∈ Zp uniformly at random, and then calculates Anew new new
a = h(Pwa ‖a1 ‖ η), Da
new
= Ca ⊕ Anew new
a , and la =
new new new new
a1 ⊕h(Usera ‖ Pwa ‖ η). Next, SCreplaces the old values {Da , la }with the newly calculated values {Da , la }. SCfinally holds the
values {Dnew new
a , la , λ, Ya , Pubj , q, p, h(⋅)}

5.6. Smartcard revocation phase

To revoke the lost smartcard, the legitimate user executes the following steps. We further illustrated the smartcard revocation phase
in Fig. 12.

6. Security analysis of the proposed scheme

The security analysis is presented in this section, formally and informally. It highlights that our scheme is robust and secure against
various known threats.

6.1. Formal security analysis

We provide the details of the formal security analysis of our scheme in this section. In this section, we have shown that our proposed
method is secure in the random oracle model (ROM). Furthermore, in this game, the following queries are simulated to perform various

11
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

attacks in the ROM against our scheme.

• Execute(Pi𝒰1a , Pi𝒮2j ): This query enables an adversary 𝒜ad to intercepts the messages that are transmitted over public channel among
all participants. 𝒜ad is executing this query to perform the passive attack against the proposed scheme, which we denoted as Π.
• Send(Pi , msg): The Sendquery is purely modeled as an active attack against Π. In this query, 𝒜ad can send a message msgto the
instance Pi in any session. Then Pi will generate the message as per the definition of Πif msgis correct. Otherwise, Pi ignore this query.
• Reveal(Pi ): The simulation of this query permits 𝒜ad to reveal the session key computed among Pi and its partner in the current
session. This query returns the session key to 𝒜ad if it is computed; otherwise, it returns a null value.
• Corrupt(𝒰 a ,x): This query helps 𝒜ad to obtain the important credentials of 𝒰 a . If 𝒜ad executes a Corrupt(𝒰 a ,x), then 𝒜ad is answered
as follows:
- If x = 1, {Da , la , λ, Ya , Pubj , q, p, h(⋅)}is returned to 𝒜ad .
- If x = 2, the password Pwa of 𝒰 a is returned to 𝒜ad .
- If x = 3, the biometric Ba of 𝒰 a is returned to 𝒜ad .
Therefore, 𝒜ad can obtain the private key Prij of 𝒮 j by executing a Corrupt(Πi𝒮j ) query. This query allowed 𝒜ad to perform the
forward secrecy attack of the session key.
• Test(Pi ): 𝒜ad is allowed to execute of a single Testquery in a fresh session i. If 𝒜ad performs a Test(Pi ) for a session ifor the participant
Pi ((i.e., 𝒰 a or 𝒮 j ), the response of this query is a bit b ∈ {0, 1}. If b = 1, then the session key 𝒮𝒦computed in a fresh and accepted
session ibetween 𝒰 a and 𝒮 j is returned to 𝒜ad . If b = 0, a random value is returned to 𝒜ad .

It is worth mentioning here that a secure one-way hash function h(⋅)is also accessible by all the participants, including 𝒜ad . This
hash function is modeled as a random oracle. In the following theorem, we have proved the formal security of the proposed scheme
under ROM.
Theorem 1. Assume that an adversary 𝒜ad is running a probabilistic polynomial time-bounded (PPT) algorithm to break the security of the
proposed schemeΠ. We also assume that the hash functionh(⋅)behaves like a true random oracle and outputs a digest of lengthl-bit,𝒟is uniformly
distributed password dictionary, the size of𝒟is|𝒟|,lb is the length of biometric,ϵfp is the probability for the case false positive[3]. We also define
CDH
Advt𝒜 ad
is the probability of𝒜ad to solve the computational Diffie–Hellman problem, and𝒜ad can executeqsend ,qhash ,andqexecute polynomial
number of Send, Executeand Hash queries. Thus, the advantage of 𝒜ad in breaking the security of our schemeΠis
{ ( )}
(qhash + qexecute )2 q2hash qsend 1 1 qhash
Advt𝒜Πad ≤ + + + Max qsend , , ϵb + qhash Advt𝒜CDH + l
2l+1 2l 2l− 1 |𝒟| 2lb ad
2

Proof. The proof for this theorem is comprising of the following games GX 0 , GX 1 ,⋯, GX 5 . We take the initiative from a game
that runs the actual attacks and conclude with a game from which 𝒜ad gets no advantage. For each game fusion GXa ,where (0 ≤ a ≤ 5),
we use Suxda indicates the chances that 𝒜ad has to successfully guess the arbitrary bit bin the Testquery.

• GX 0 : This game simulates the real attack in the ROM. In this game, both the instances of 𝒰 a and 𝒮 j will be modeled within the
actual executions. As per the definition of Suxda , we got:
⃒ ⃒
⃒ 1⃒
Advt𝒜Πad = ⃒⃒Pr(Suxd0 ) − ⃒⃒ (2)
2

• GX 1 : This game simulates Hash, Send, Execute, Reveal, Corrupt, and Testoracles. This game simulates the hash function
h(⋅)with the help of a list Hls . Hls comprises of multiple entries in the form of input and output. During the response of hash oracle
about various hash queries, if an old entry exists in Hls , then it returns the corresponding output. Else it returns a value, which is
selected from {0, 1}l uniformly at random. After that, Send, Execute, Reveal, Corrupt, and Testqueries are simulated as done in
actual attacks. We have used the threat model to indicate the exact actions of the queries mentioned above. All these description
shows that this game is indistinguishable from the actual attack. Thus, we got:
|Pr(Suxd0 )| = |Pr(Suxd1 )| (3)

• GX 2 : This game is indistinguishable from the game GX 1 ,but the only difference is that it will be ended when a collision occurs
in the execution of the messages {PIDa ,Ru ,Authu }and {Ej ,Authj }. As per the birthday paradox, the probability of occurring collision
q2hash 2
during the simulation of h(⋅)and the messages {PIDa , Ru , Authu }and {Ej , Authj }are at most 2l
and (qhash +q execute )
2l+1
, respectively. Hence,
we got:

12
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

(qhash + qexecute )2 q2hash

|Pr(Suxd1 ) − Pr(Suxd2 )| ≤ + l (4)
2l+1 2

• GX 3 : This game is similar to the game GX 2 ,but it will be terminated when 𝒜ad will successfully guess the values of Authu and
Authj without simulating the hash function h(⋅). If this game doesnot reject Πi𝒰 a and Πi𝒮 j , then it is indistinguishable with the game
GX 2 . Thus, the computation of session key is somehow changed to make it free from Pwa and all keys. Therefore, we got:
qsend
|Pr(Suxd3 ) − Pr(Suxd2 )| ≤ (5)
2l− 1

• GX 4 : Here, we only allow online and offline guessing attacks.

- In this case, 𝒜ad is allowed to execute Corrupt(Πi𝒰 a , 1) and Corrupt(Πi𝒰 a , 3) queries to guess the password Pwa of the user 𝒰 a .
𝒜ad can guess Pwa in online from 𝒟with probability q|𝒟|
send
.
- 𝒜ad is also allow to guess the biometric Ba of the user 𝒰 a in online mode by simulating Corrupt(Πi𝒰 a , 1) and Corrupt(Πi𝒰 a , 2)
{ ( )}
queries. The probability to correctly guess the biometric Ba is Max qsend 21lb , ϵb .

Therefore, we got:
( )}
1 1
|Pr(Suxd4 ) − Pr(Suxd3 )| ≤ Max {qsend , , ϵb (6)
|𝒟| 2lb

• GX 5 : This game is also simulated similar to Game4 , but the simulation of 𝒮𝒦in the ROM is different from the real attack on Π.
The simulation of 𝒮𝒦is changed in order to make it free from password and all other relevant keys. When Send(Πi𝒰 a , {PIDa , Ru ,
Authu })and Send(Πi𝒮j , {Ej , Authj })queries are executed, 𝒜ad can compute 𝒮𝒦in the following ways:
- 𝒜ad may guess 𝒮𝒦by simulating the hash function h(⋅). A collision happens in the output of h(⋅)with probability qhash
2l
.
- 𝒜ad may guess the session key 𝒮𝒦without simulating h(⋅),i.e., 𝒮𝒦is completely independent from h(⋅). In this case, 𝒜ad simulates
self-reducibility of the CDH problem for the instance (Ru ,Ej ) = (a2 P,b1 P)to compute Fa = a2 Ej = a2 b1 P = b1 Ru = Fj . If Fa or Fj is
available to 𝒜ad then he/she can calculate 𝒮𝒦 = h(Usera ‖ Fa ‖ Ca )directly. Therefore, we got:

qhash
|Pr(Suxd5 ) − Pr(Suxd4 )| ≤qhash Advt𝒜CDH + (7)
ad
2l

𝒜ad may calculate 𝒮𝒦using a private oracle h (⋅)instead of h(⋅). Since h (⋅)is unknown to 𝒜ad , therefore, we got:
′ ′

1
Pr(Suxd5 ) = (8)
2

By combining all the results (2)–(8) of the games GX 0 - GX 5 , we can write:

{ ( )}
(qhash + qexecute )2 q2hash qsend 1 1 qhash
Advt𝒜Πad ≤ + l + l− 1 + Max qsend , l , ϵb + qhash Advt𝒜CDH + l
2l+1 2 2 |𝒟| 2 b ad
2

6.2. Informal security analysis

This type of security analysis demonstrates that our scheme is logically correct and offer various security features along with the
prevention of non-trivial attacks.

6.2.1. Mutual authentication

In our scheme, 𝒮 j can validate 𝒰 a by verifying Authu = h(PIDa ‖ Usera ‖Ru ‖ Ca ). As Authu can only be computed after the valid
?

computation of PIDa that requires the secret number xknown by 𝒮 j only. Moreover, 𝒰 a can also authenticate 𝒮 j by verifying
Authj = h(Usera ‖ SK ‖Ru ‖ Ej ). Only a legitimate server can pass this check successfully. Because, no one other then 𝒮 j can determine the
?

identity Usera of 𝒰 a without having the knowledge of the private key Prij and secret number xto compute valid session key 𝒮𝒦. Thus, our
scheme offers the mutual authentication between 𝒰 a and 𝒮 j .

13
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

6.2.2. User masquerading attack

An adversary 𝒜ad cannot masquerade a legal user, even she/he intercepts the login message {PIDa , Ru , Authu }. Because the calcu­
lation of PIDa = Usera ⊕ (a2 Pubj )x requires the private number xof 𝒮 j ,which is unknown to 𝒜ad . In addition, Ru = a2 Pwill be different
for each login request due to value a2 ∈ Zp that is selected uniformly at random from Zp . So, our scheme provides complete resistance
against user masquerade attack.

6.2.3. Server masquerading attack

An adversary 𝒜ad cannot masquerade a legal server 𝒮 j , even she/he intercepts the challenge message {Ej , Authj }. Because the
calculation of Authj = h(Usera ‖ SK ‖Ru ‖ Ej )requires the private key Prij of and secret number xof 𝒮 j . But Prij and xare unknown to 𝒜ad . So
our scheme resists server impersonation attack.

6.2.4. Provision of user anonymity

In our scheme, the identity Usera of the user 𝒰 a is not sent in plaintext. In fact PIDa = Usera ⊕ (a2 Pubj )x is determined and sent over
any insecure channel to 𝒮 j . Moreover, only legitimate server 𝒮 j can compute Usera as Usera = PIDa ⊕ (Prij Ru )x after grabbing the private
key Prij of 𝒮 j . Hence, our scheme offers user anonymity.

6.2.5. Man-in-the-middle attack

Suppose 𝒜ad forges the login message {PIDa , Ra , Authu }, still she/he can not change the login message because PIDa is a session-
specific value. Moreover, the session-specific value a2 ∈ Zp , which is selected uniformly at random, is required to calculate Authu =
h(PIDa ‖ Usera ‖Ru ‖ Ca ), where Ru = a2 P. So, our scheme is secure against man-in-the-middle attack.

6.2.6. Lost/stolen smartcard attack

The smartcard consists of {Da , Ya , Pubj , la , λ, p, q, h(⋅)}. The parameters stored in SCcannot help an adversary 𝒜ad to guess the secret
parameter of the user 𝒰 a . Hence, even if 𝒜ad gets the smartcard SCof 𝒰 a , he/she can not get any advantage. Therefore, we can easily
claim that our scheme resists lost/stolen smartcard attack.

6.2.7. Perfect forward secrecy

𝒰 a and 𝒮 j calculates Authu and Authj using a2 ∈ Zp and b1 ∈ Zp , respectively. These are session-specific random numbers selected by
𝒰 a and 𝒮 j , respectively. Therefore, if the long-term private key of any user is leaked to an adversary, he/she can not derive the past
session keys. Hence, we can claim the perfect forward secrecy of the proposed scheme.

6.2.8. Stolen verifier attack and privileged-insider attack

The proposed scheme does not maintain any database, and the user 𝒰 a is only authenticated using the secret key of the server 𝒮 j .
Similarly, Usera and Pwa are not sent to 𝒮 j in plaintext over a public channel. So, we can claim the resistance of privileged-insider and
stolen verifier attacks in our scheme.

7. Performance comparison

Performance analysis is essential to investigate the efficiency and effectiveness of an authentication scheme. This section analyzes
our method in terms of storage, communication overhead, and computation complexity. Furthermore, the performance of our scheme
is compared with other similar schemes.

7.1. Computation overhead

In this subsection, we compared the computation cost of our scheme with the existing related schemes. The time required for
performing the cryptographic operations is computed using PyCrypto library and Python programming language in ubuntu with the
desktop machine having a processing ability of 3.6 GHz, 8 GB RAM, and Core i5. Table 2 demonstrates the cryptographic operations
with execution time in milliseconds.
We executed the proposed scheme multiple times in the specified environment to obtain the average execution time. We ignored
the execution time of the XOR operation from our comparative analysis since it takes a minimal amount of time for execution.
Table 3 presents the comparison of related schemes and our scheme in terms of execution time. In Fig. 13, the number of iterations

Table 2
Cryptographic operations used for analysis.
Notation Description Time for execution

Th Time of execution for hash function 0.0008398 ms

Tcn Time of execution for concatenation operation 0.0002059 ms
Tpm Time of execution for elliptic curve scalar point multiplication operation 0.0011500 ms
TEnc/Dec Time of execution for encryption and decryption operation 0.0006000 ms

14
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

Table 3
Comparison of execution time.
Scheme Execution time

Proposed 10Th + 23Tcn + 6Tpm ≈ 0.0200 ms

Dillon and Kalra [3] 8Th + 33Tcn + 4Tpm ≈ 0.0181 ms
Amin and Biswas [24] 12Th + 14Tcn + 7Tpm + 2Enc/Dec ≈ 0.0223 ms
Irshad et al. [9] 15Th + 33cn + 6Tpm + 2TEnc/Dec ≈ 0.0275 ms
Islam et al. [25] 13Th + 34Tcn + 9Tpm ≈ 0.0283 ms

Fig. 13. Comparison of computation cost.

Table 4
Comparison of storage and communication overhead.
Scheme Storage cost (bits) Communication cost (bits)

Proposed 1600 2848

Dhillon and Kalra [3] 2080 2912
Amin and Biswas [24] 1792 4672
Irshad et al. [9] 1696 3808
Islam et al. [25] 1344 3424

of each scheme is presented horizontally, and execution time in ms (milliseconds) presented vertically. It can be observed that the
proposed scheme takes less execution time than the schemes in [9,24,25]. However, our scheme takes slightly more execution time as
compared to [3].

7.2. Storage and communication overheads

In this subsection, the proposed scheme and existing schemes have compared over storage and communication overheads. In our
comparison, we consider the random number, password, identity, timestamp, and the elliptic curve point is 160-bit. Likewise, the
output of the hash function, the public/private key of the server, is 256 bits each, and the plaintext/ciphertext of the encryption/
decryption algorithm is 512 bits. Table 4 presents the memory space and communication cost comparison of related schemes and the
proposed method.
Fig. 14 shows the graphical representation of the storage overhead of our scheme and the related competing schemes, where the X-
axis and Y-axis are presenting various schemes and the storage overhead (bits), respectively. The storage overhead of our scheme is less
than that of the related schemes in [3,9,24], except the scheme in [25].
It is worth to note that our scheme also takes less number of bits for communication than the existing schemes in [3,9,24,25] as
demonstrated in Fig. 15. Furthermore, we showed the security feature comparison in Table 5.
Tables 3, 4, and 5 clearly states that the presented scheme is more efficient and lightweight because it takes less storage,
communication, and computation cost, also it provides additional security features compared to related competing schemes.

15
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

Fig. 14. Comparison of storage overhead.

Fig. 15. Comparison of communication overhead.

Table 5
Comparison of Security Features.
Scheme→ Proposed Dhillon and Amin and Irshad et al. Islam et al.
Feature↓ Kalra [3] Biswas [24] [9] [25]

Provides mutual authentication ✓ ✓ ⨯ ✓ ✓

Resistance to user impersonation attack ✓ ⨯ ✓ ⨯ ✓
Resistance to server impersonation attack ✓ ✓ ✓ ⨯ ✓
Resistance to stolen verifier attack ✓ ⨯ ⨯ ⨯ ⨯
Resistance privileged insider attack ✓ ⨯ ⨯ ⨯ ⨯
Resistance to smartcard stolen attack ✓ ✓ ✓ ⨯ ⨯
Resistance to man in the middle attack ✓ ✓ ✓ ✓ ✓
Provides user anonymity ✓ ⨯ ✓ ✓ ✓
Provides Perfect forward secrecy ✓ ✓ ✓ ✓ ⨯
Provides No clock synchronization ✓ ⨯ ✓ ⨯ ⨯

8. Conclusion

This paper has reviewed Dhillon and Karla’s three-factor remote user authentication scheme designed for IoMT systems. We have
performed some detailed analyses and found that their scheme violates user anonymity and user traceability. Furthermore, their
scheme is vulnerable to the user impersonation attack and stolen verifier attack. To address the identified security flaws in Dhillon and
Karla’s scheme and other issues found in different schemes, we have proposed a robust and provably secure three-factor remote user
authentication scheme for IoMT systems using elliptic curve cryptography. The proposed scheme has used a fuzzy extractor tool to
avoid the acquisition issue of noisy biometric of an authorized user. The proposed scheme can change the old password of an

16
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

authorized user without the assistance of the server. Besides, the proposed scheme can revoke a lost or stolen smartcard of a legitimate
user. The provable security of the proposed scheme is analyzed in the random oracle model and found that it is secure based on the
intractability assumption of the computational Diffie–Hellman problem. The proposed scheme is safe based on Dolev-Yao’s threat
model, which allowed a probabilistic polynomial time-bounded adversary with maximum power to attack our scheme. We have also
demonstrated that our scheme resists major security attacks and provides essential security and functionality attributes. Moreover, the
performance analysis showed that the proposed scheme incurred less communication and computation costs, and reasonable storage
cost than the related competing schemes. Consequently, resource efficiency and improved security strength have made our scheme the
most suitable choice for IoMT systems.

CRediT authorship contribution statement

Khalid Mahmood: Supervision, Conceptualization, Methodology, Writing - original draft, Writing - review & editing. Waseem
Akram: Conceptualization, Methodology, Software, Writing - original draft, Visualization. Akasha Shafiq: Conceptualization,
Methodology, Software, Writing - original draft, Visualization. Izwa Altaf: Conceptualization, Methodology, Software, Writing -
original draft, Visualization. Muhammad Ali Lodhi: Investigation, Writing - original draft, Data curation, Visualization. SK Hafizul
Islam: Supervision, Conceptualization, Methodology, Validation, Formal analysis, Writing - review & editing, Visualization.

Declaration of Competing Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

References

[1] Zhou L, Chao H-C. Multimedia traffic security architecture for the internet of things. IEEE Netw 2011;25(3):35–40.
[2] Alvi SA, Afzal B, Shah GA, Atzori L, Mahmood W. Internet of multimedia things: vision and challenges. Ad Hoc Netw 2015;33:87–111.
[3] Dhillon PK, Kalra S. Secure multi-factor remote user authentication scheme for internet of things environments. Int J Commun Syst 2017;30(16):e3323.
[4] Tu H, Kumar N, Chilamkurti N, Rho S. An improved authentication protocol for session initiation protocol using smart card. Peer-to-Peer Netw Appl 2015;8(5):
903–10.
[5] Wu L, Zhang Y, Wang F. A new provably secure authentication and key agreement protocol for sip using ECC. Computer Standards & Interfaces 2009;31(2):
286–91.
[6] Dhillon PK, Kalra S. Multi-factor user authentication scheme for IoT-based healthcare services. J Reliab Intel Environ 2018;4(3):141–60.
[7] Sharma G, Kalra S. A secure remote user authentication scheme for smart cities e-governance applications. J Reliab Intel Environ 2017;3(3):177–88.
[8] Sharma G, Kalra S. Advanced multi-factor user authentication scheme for e-governance applications in smart cities. Int J Comput Appl 2019;41(4):312–27.
[9] Irshad A, Kumari S, Li X, Wu F, Chaudhry SA, Arshad H. An improved sip authentication scheme based on server-oriented biometric verification. Wirel Pers
Commun 2017;97(2):2145–66.
[10] Yeh H-L, Chen T-H, Shih W-K. Robust smart card secured authentication scheme on sip using elliptic curve cryptography. Comput Standards Interfaces 2014;36
(2):397–402.
[11] Chen C-L, Lee C-C, Hsu C-Y. Mobile device integration of a fingerprint biometric remote authentication scheme. Int J Commun Syst 2012;25(5):585–97.
[12] Truong T-T, Tran M, Duong A-D. Robust mobile device integration of a fingerprint biometric remote authentication scheme. Proceedings of the IEEE 26th
international conference on advanced information networking and applications. IEEE; 2012. p. 678–85.
[13] Khan MK, Kumari S, Gupta MK. Further cryptanalysis of a remote authentication scheme using mobile device. Proceedings of the fourth international conference
on computational aspects of social networks (CASoN). IEEE; 2012. p. 234–7.
[14] Chuang M-C, Chen MC. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert
Syst Appl 2014;41(4):1411–8.
[15] Mishra D, Das AK, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards.
Expert Syst Appl 2014;41(18):8129–43.
[16] Lu Y, Li L, Yang X, Yang Y. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE 2015;
10(5):e0126323.
[17] Lu Y, Li L, Peng H, Yang Y. A biometrics and smart cards-based authentication scheme for multi-server environments. Secur Commun Netw 2015;8(17):
3219–28.
[18] Chaudhry SA. A secure biometric based multi-server authentication scheme for social multimedia networks. Multimed Tools Appl 2016;75(20):12705–25.
[19] Chandrakar P, Om H. A secure and robust anonymous three-factor remote user authentication scheme for multi-server environment using ECC. Comput
Commun 2017;110:26–34.
[20] Farash MS, Attari MA. A provably secure and efficient authentication scheme for access control in mobile pay-tv systems. Multimed Tools Appl 2016;75(1):
405–24.
[21] Dhillon PK, Kalra S. A lightweight biometrics based remote user authentication scheme for IoT services. J Inf Secur Appl 2017;34:255–70.
[22] Stinson DR. Some observations on the theory of cryptographic hash functions. Des Codes Cryptogr 2006;38(2):259–77.
[23] Kocher P, Jaffe J, Jun B, Rohatgi P. Introduction to differential power analysis. J Cryptogr Eng 2011;1(1):5–27.
[24] Amin R, Biswas G. A secure three-factor user authentication and key agreement protocol for TMIS with user anonymity. J Med Syst 2015;39(8):78.
[25] Islam SH, Das AK, Khan MK. A novel biometric-based password authentication scheme for client-server environment using ECC and fuzzy extractor. Int J Ad Hoc
Ubiquitous Comput 2018;27(2):138–55.

Khalid Mahmood is currently working at COMSATS University Islamabad, Sahiwal Campus. His research interests include Design and development of authenticated
key agreement protocols using lightweight cryptographic solutions.

Waseem Akram is currently working as a lecturer with the Department of Computer Science (CS) at COMSATS University Islamabad, Sahiwal Campus, Pakistan. He has
done his MS (CS) from the Islamia University Bahawalpur, Baghdad-ul-Jadeed Campus, Pakistan. He received his BS(CS) from COMSATS University Islamabad in 2017.
His research interests include remote user authentication and key agreement in IoMT environments.

Akasha Shafiq completed her MS degree in Computer Science from COMSATS University Islamabad, Sahiwal Campus, Pakistan. She received a BS (Computer Science)
degree with distinction from Bahauddin Zakariya University, Sahiwal campus, Pakistan, in 2018. Her research interests include remote user and key agreement scheme.

17
K. Mahmood et al. Computers and Electrical Engineering 88 (2020) 106888

Izwa Altaf completed her MS degree in Computer Science from COMSATS University Islamabad, Sahiwal Campus, Pakistan. She has completed her BS (Honors) in
Computer Science from International Islamic University, Islamabad, Pakistan. Her research interests are in SIP authentication and information security.

Muhammad Ali Lodhi is pursuing his Ph.D. at the School of Software, Dalian University of Technology, China. He completed his MS degree in Telecommunication and
Networking from Bahria University, Islamabad, in 2015. He received his BS degree in IT from BZU, Multan, in 2012. His research interests include the design of
communication protocols for wireless Ad Hoc and sensor networks.

SK Hafizul Islam is currently an Assistant Professor with the Department of Computer Science and Engineering, Indian Institute of Information Technology Kalyani,
West Bengal, India. He is an Associate Editor for IEEE Systems Journal, IEEE Access, International Journal of Communication Systems (Wiley), Telecommunication
Systems (Springer), Security and Privacy (Wiley), Array-Journal (Elsevier), and Technical Committee Member, Computer Communications (Elsevier).

18