ID-based Remote Authentication with Smart Cards on Open Distributed

System from Elliptic Curve Cryptography

Shyi-Tsong Wu*, Jung-Hui Chiu and Bin-Chang Chieu*

Department of Electronic Engineering, National Ilan University, Taiwan

Department of Electrical Engineering, Chang Gung University, Taiwan

*
Department of Electronic Engineering, National Taiwan University of Science and Technology, Taiwan
E-mail: stwu@niu.edu.tw, jhchiu@mail.cgu.edu.tw, chu@et.ntust.edu.tw

Abstract

leak facilely. If the secret is compromised, all of the

Elliptic Curve Cryptography sustains equal security

for a far small key size. Recently the pairings operations
on elliptic curve have received considerable attention.
In this paper, we apply the cryptographic primitive of
pairings on elliptic curve to a remote password
authentication scheme with smart cards. The proposed
pairing-based remote authentication scheme requires no
password table to verify the legitimacy of the login user
and allows the users to choose and change their
password. The distributed remote hosts do not need the
knowledge of the secret of the key information center to
authenticate the legitimacy of the users. It enhances the
flexibility of the remote authentication scheme.

key information center. And these schemes are not suit

to the distributed systems or some other open
applications since the secret of the key information
center may be disclosed easily.
Recently the applications of bilinear pairings on
elliptic curves have addressed intensively. The pairing
operation

now

can

be

securely

and

efficiently

implemented on certain elliptic curves [1,5]. In this

paper, we will propose a remote timestamp-based
password authentication scheme with smart cards by the
bilinear pairings of elliptic curves. On the analogy of
this scheme, a nonce-base password authentication
be easily synchronized. Our schemes not only eliminate

Lamport proposed a remote authentication with

insecure communication [7] in 1981. The scheme can
resist replaying attack, but it needs a password table for
verifying the legitimacy of the login user. ID-based
schemes [2,3,6,9,10,11] are proposed to eliminate the
drawback of using directory table. In these schemes, the
secret key corresponding to an ID is assigned by
password generation center. It is against the users habit.
Based on discrete logarithm problem or one-way hash
several

smart cards have to be calculated from the secret of the

scheme is submitted for the networks that clocks cannot

1. Introduction

function,

cards are compromised, because the data stored in the

remote

password

authentication

schemes [4,8,12,13] are proposed further allowing the

users choose and change their passwords freely.
However, to authenticate the legitimacy of the users in
these schemes, the remote hosts have to hold the secret
of the key information center. It will make the secret

the drawback of traditional ID-based scheme of assigned

un-human lengthy password. In addition, the remote
distributed hosts do not need the knowledge of the secret
of the key information center to authenticate the
legitimacy of the users and gains the flexibility of the
remote authentication scheme.

2. Bilinear pairings
We briefly describe the basic definition and properties
of the bilinear pairing in this section. Let G1 be an
additive group of prime order q and G2 be a
multiplicative group of the same order q. We assume
that the discrete logarithm problem (DLP) in both G1
and G2 are hard. Typically, G1 will be a subgroup of the
group of points on an elliptic curve over a finite field, G2

will be a subgroup of the group of the multiplicative

Ppub = sP

(1)

group of a related finite field. Let e is the bilinear map

The Ppub is for verifying the legality of the user in the

from G1G1 to G2 on the elliptic curve and satisfies the

authentication phase and is sent securely to the

following conditions:

distributed remote hosts by some encrypted means.

Bilinear: e (P1+P2, Q) = e (P1, Q) e (P2, Q), e (P,

Q1+Q2) = e (P, Q1) e (P, Q2) and e (aP, bQ) = e (P,
Q)ab for all P, P1, P2, Q G1 and a, b Zq*.
Non-degenerate: The map does not send all pairs in
G1G1 to the identity in G2, i.e. there exists P, Q G1
such that e (P, Q) 1.
Computability: there is an efficient algorithm to
compute e (P, Q) G2 for all P, Q G1.
We note that the Weil or Tate pairing associated with
supersingular elliptic curves can be modified to create
such bilinear maps [1,5].

3. Pairing-wise timestamp-based password

authentication scheme
In this section, we present a remote password
timestamp-based authentication scheme with smart card
from pairings. The scheme is suitable for open

Registration Phase:

In the registration phase, the user

i submits the registration request in terms of his identity

idi and his choosing password pwi Zq* to the key
information center. That must be sent in person or over a
secure channel. Receiving the request, the key
information

center

generates

the

authentication

parameters for the user and stores them into the smart
card of the user by performing the following steps on
curve E:
1. Compute the public key of the user i from
Qi = H1(idi)

(2)
*

Here H1(): {0,1} G1, is a public one-way hash

function.
2. Compute the secret key of the user i by
Xi = pwiQi sQi

(3)

Where the notation is the corresponding coordinate

exclusive-OR bit operation.

distributed systems and is separated into four phases:

3. Personalize the smart card with the data: {idi, E, q, P,

initialization, registration, login and authentication phase.

H1(), h(), Xi} and issue the card to the user i, here h()

There is a key information center that is responsible for

is a one-way hash function.

generating keys for all entities, issuing smart cards to

new users and serving password-changing request for
the registered users.
Some systematic setups will be performed in the
initialization phase. Prior to the access of remote

user i

Key Information Center

2

1. user i KIC : idi , pwi

2. KIC user i : a smart card with
{ id i , E , q, P, H1 (), h(), X i }

system, a new user should submit his identity and

password to the key information center for the

Fig. 1

Registration Phase

registration in the registration phase, and the key

information center will issue a smart card for the new

Login Phase:

user. In the login phase, the user attaches his smart card

system, he attaches his smart card to the input device

to the input device terminal and keys in his identity idi

terminal, then keys in his identity idi* and password pwi*.

and password pwi. Then the terminal sends a login

The smart card performs the following operations.

request message to the remote distributed host. In the

1. Check the validity of the idi*. Whether the idi* is equal

authentication phase, the remote distributed host

to the idi that is stored in the memory of the smart card.

verifies the correctness of the submitted message and

If both are not equal, the login process will be aborted.

decides to accept the login request or not.

Initialization Phase: Firstly, the key information center
selects an elliptic curve E with order q, a base point P,
and made them public. Then the key information center
chooses a secret s Zq*, and computes Ppub:

If the user i wants to login the remote

2. Perform the following two calculations on curve E:

Ai = rP

(4)

Bi = h(T)(pwi*Qi Xi) + rQi

(5)

Here r is a random number selected by the smart card,

and T is the current date and time and is used as a
timestamp of the input device terminal.

3. Send a message m1 = {idi*, T, Ai, Bi} to the remote

system.

phase will be described respectively.

Login Phase:

To login a remote system, the user i

inserts his smart card to the input device terminal and

1

user i

keys in his identity idi* and his password pwi*. Then the

Remote System

following steps will be performed:

1. user i host : m1 = { id i , T , Ai , Bi }
Ai = rPi
*
Bi = h (T )( pwi Qi X i ) + rQi
Fig. 2

Authentication Phase:

1. The smart card checks the validity of the identity idi*.

Whether the idi* is equal the idi that is stored in the

Login Phase

memory of the smart card. If they are equal, the smart

As receiving the message m1

request of remote login. Otherwise the login will be

card sends the identity idi* to the remote system as a

at the time of T, the remote system authenticates the

user using the following steps.
1. Verify the format of idi*. If the format of idi* is not
2. Verify the validity of time interval between T and T.
If (T-T) T, where T denotes the expected valid
time interval for transmission delay, then the remote
3. Check whether the following equation holds or not.

e (Bi, P) = e (Qi*, h(T)Ppub+Ai)

Here

indicates that the password

idi*

(6)

If the above equation holds, it

pwi*

host verifies the validity of the format of idi*. If it is

randomly as a nonce, and sends it back to the smart
card.
3. Upon receipt the nonce, the smart card computes Ai
and Ci:

system rejects the login request.

H1 (idi*).

2. Upon receipt the identity idi* of the user i, the remote

legitimate, then the remote host selects a number n

correct, then the system rejects the login request.

Qi*

aborted.

is equal to pwi and

is equal to idi. Then the system accepts the request

of login, otherwise rejects it. This is because that

e (Bi, P) = e (h(T)(pwi*QiXi) + rQi, P)

= e (h(T)(pwi*Qi (pwQi sQi)) + rQi, P)
= e (h(T)sQi + rQi, P)
= e ((h(T)s + r)Qi, P)
= e (Qi, (h(T)s+ r)P)
= e (Qi*, h(T)Ppub+ Ai)

4. Pairing-wise nonce-based password

authentication scheme

Ai = rP
Ci = n(pwi*QiXi) + rQi

(7)

Here r is a random number selected by the smart card,

and Xi = pwiQi sQi had been stored in the smart
card.
4. The smart card sends a message m2 = {Ai, Ci} back to
the remote host.
Authentication Phase:

As receiving the message m2,

the remote host checks whether the following equation

holds or not.

e (Ci, P) = e (Qi*, nPpub+Ai)

(8)

If the above equation is satisfied, it indicates that the

password pwi* is equal to pwi, the message m2 is
generated by the user idi, and the nonce n that smart card
used to calculate Ci is identical to the one generated by

In this section, we further present a nonce-based

the remote host. That is, the message m2 is fresh and is

authentication scheme. It is an extended version of the

not a replay message. Then the system accepts the

timestamp-based authentication scheme for the networks

request of login, otherwise rejects it. This is because that

without synchronized clocks. In the nonce-based

authentication scheme, the timestamp is replaced with a
nonce to withstand the replay attack. The nonce-based
authentication

scheme

consists

of

three

phases:

registration, login and authentication phase. The

registration phase is the same as the timestamp-based
authentication scheme described in the previous section.
In the following, the login phase and the authentication

e (Ci, P) = e (n(pwi*QiXi) + rQi, P)

= e (n(pwi*Qi (pwiQi sQi)) + rQi, P)
= e (nsQi + rQi, P)
= e (Qi, (ns+ r)P)
= e (Qi*, nPpub+Ai)

to make the timestamp T*valid, where T* is the current

1
2

user i

date and time. However, such modification will fail in

Remote System

3
*

1. user i host : id i
2. host user i : n
3. user i host : m2 = { Ai , Ci }
Ai = rP
*
Ci = n( pwi Qi X i ) + rQi
Fig. 3

Login Phase of the nonce-based scheme

5. Security analysis and discussion

Our proposed pairing-based key agreement protocol
employs the concept of ID-based scheme and comprises
the pairings of elliptic curves. Its security strength is
based on the Elliptic Curve Discrete Logarithm Problem.
To authenticate the legitimacy of the users, the
distributed hosts do not hold the knowledge of the secret
of the key information center, where the secret of the
key information center is used to generate the parameter
stored in the smart card for authentication by the remote
distributed hosts. This characteristic gains the flexibility
of our proposed scheme. We analyze the security of the
scheme as follows:
The static secret key of the user i, i.e. Xi, saved in the
smart card must be computed from the secret s of the
key information center. Without the secret s of the key
information center, there are no means to forge a valid
smart card of the user. On the other hand, to crack the
secret key s from the static private key Xi by equation (3)
is infeasible, because it will face the ECDLP.
While an adversary wants to masquerade user i to pass
the authentication, he must calculate valid {Ai, Bi} in
equation (4) and (5) to make the equation (6): e (Bi, P)
= e (Qi*, h(T)Ppub+ Ai) hold. Without the knowledge of
the secret key Xi, the adversary neither forges a valid
message {Ai, Bi} to satisfy the equations (6) nor
generates a legal message {Ai, Ci} to satisfy the
equations (8). Only the user having the corresponding
legal smart card and password can be a legitimate user
to pass the authentication phase.

the verification of the authentication in equations (6) for

e (Bi, P) e (Qi*, h(T)Ppub+ Ai). The attacker could

send the message {idi, T*, Ai, Bi*} such that e (Bi*, P)
= e (Qi, h(T*)Ppub+ Ai) and pass the authentication, where
Bi* = h(T*)(pwi*QiXi) + rQi. However without the valid
Xi, correct pwi and random number r, the computation of
Bi* is infeasible. Similarly, eavesdropping a valid {idi, n,
Ai, Ci}, the adversary cannot personate the legal user i
by calculating another valid {Ai, Ci*} from equation (7)
for a new nonce n*. Without the valid Xi, correct pwi and
random number r, the computation of Ci* is impossible
either.
In addition, it is infeasible to compromise the secret
key Xi of the user i by the communicating message {idi,
T, Ai, Bi}, or {idi, n, Ai, Ci}. The adversary could
calculate the static secret key Xi of the user i by means
of equation (5) and (7). But without both the knowledge
of the password pwi and the random number r, the
computation is impossible.
About the efficiency aspect, we note that the
computation of the pairing is the most time-consuming
in all phases of the authentication scheme, and the smart
card has constrained memory and limited computing
power. If the pairing computations are performed on the
smart card side, the smart card will be loaded with a
heavy burden of computing. In our proposed scheme,
the pairing computations are all performed in the remote
hosts who have strong computing power, and the
efficiency will be not reduced because of the pairing
computation.
When a user wants to change his password, he could
submit his smart card and choose a new password pwi
to the key information center in person or via a secure
channel. The key information center will perform the
new Xi as Xi = (pwiQisQi), then, write the new Xi
into the users smart card to replace the original Xi. After
the replacement of Xi in the smart card of user i, user i
can use the new pwi to login. The password is chosen
freely by the user, it is easy to memorize for the user.

The replay attack cannot work in our protocol. After

eavesdropping a valid {idi, T, Ai, Bi}, the attacker might
pretend the legal user i to login the remote system by
modifying the message {idi, T, Ai, Bi} into {idi, T*, Ai, Bi}

6. Conclusions
We have proposed an ECC pairing-wise, user-friendly

remote timestamp-based password authentication

scheme with smart cards and its extended version named
nonce-based password authentication schemes. These
proposed schemes do not use any password file or
verification table to authenticate the users. In this paper,
we also analyze some possible attacks. Our proposed
scheme eliminates the drawback of traditional ID-based
scheme of assigned un-human lengthy password. The
remote distributed hosts do not need the knowledge of
the secret of the key information center to authenticate
the legitimacy of the user and enhances the flexibility of
the proposed authentication scheme. In addition, the
scheme inherits the merits of ECC with small key size
and high security. It is especially well suited to smart
card applications, mobile communications and other
remote distributed systems.

References
[1] Dan Boneh, Matthew Franklin, Identity-Based Encryption
from the Weil Pairing, Advances in Cryptology
CRYPTO 2001, Springer- Verlag, pp. 312-229, 2001
[2] C. C. Chang and S. J. Hwang, Using smart cards to
authenticate remote passwords, Computers and
Mathematical Applications, Vol.26, No.7, pp.19-27, 1993
[3] C. C. Chang and T. C. Wu, Remote password
authentication with smart cards, IEE Proceeding-E,
Vol.138, No.3, pp.165-168, 1991
[4] Hung-Yu Chien, Jinn-Ke Jan and Yuh-Min Tseng, An
efficient and practical solution to remote authentication:
smart card, Computer & Security, Vol.21, No.4,
pp.372-375, 2002
[5] Steven D. Galbraith, Keith Harrison and David Soldera,
Implementing the Tate Pairing, Proceedings of the 5th
International Symposium on Algorithmic Number Theory,
ANTS-V, Sydney, Australia, pp. 324-337, July 7-12, 2002
[6] Min-Shiang Hwang and Li-Hua Li, A new remote user
authentication scheme using cards, IEEE Trans. on
Consumer Electronics, Vol.46, February, pp.28-30, 2000
[7] L. Lamport, Password authentication with insecure
communication, Communications of ACM, Vol.24,
pp.770-772, 1981
[8] Cheng-Chi Lee, Min-Shiang Hwang, and Wei-Pang Yang,
A Flexible Remote Authentication Scheme Using Smart
Cards, ACM Operating Systems Review, Vol.36, No.3, pp.
46-52, 2002
[9] E. Okamoto, and K. Tanka, Identity-based information
security managements system for personal computer
networks, IEEE Journal on Selected Areas in
Communications, Vol.7, No.2, 1989, pp. 290-294
[10] Hung-Min Sun, An efficient remote use authentication
scheme using smart card, IEEE trans. on Consumer

Electronics, Vol.46, November, pp.958-961, 2000

[11] S. Tsujii, T. Itho, and K. Kurosawa, ID-based
cryptosystem using discrete logarithm problem,
Electronics Letters, Vol.23, pp. 1318-1320, 1978
[12] Shyi-Tsong Wu and Bin-Chang Chieu, A Note on a User
Friendly Remote Authentication Scheme with Smart
Cards, IEICE Trans. Fundamentals, vol. E87-A, no.8,
pp.2180-2181, 2004
[13] Wen-Her Yang and Shiuh-Pyng Shieh, Password
Authentication Scheme with Smart Cards, Computer &
Security, Vol.18, No.8, pp.727-733, 1999