A Novel ID-Based Authentication and Key Exchange Protocol Resistant to Ephemeral-Secret-Leakage Attacks for Mobile Devices

With the rapid development in wireless communications and cloud computing technologies, clients (users) often use handheld mobile devices to access remote servers via open network channels. To provide authentication and confidentiality between clients and servers, a large number of ID-based authentication and key exchange (ID-AKE) protocols have been proposed for mobile client-server environments. However, most of the existing ID-AKE protocols adopt the precomputation technique so that they become vulnerable to the ephemeral-secret-leakage (ESL) attacks, in the sense that an adversary could use the ephemeral secrets to reveal the private keys of clients from the corresponding exchange messages. In the paper, we propose a new ESL-secure ID-AKE protocol for mobile client-server environments. We formally prove that the proposed protocol satisfies the security requirements of both mutual authentication and key exchange while resisting the ESL attacks. When compared with previously proposed ID-AKE protocols, our protocol has higher security and retains computational performance, since it requires no bilinear pairing operation for mobile clients. Finally, we mention the possibility of adopting our protocol as an authentication method of the extensible authentication protocol (EAP) for wireless networks.


Introduction
A key exchange protocol allows two parties to construct a session key. A symmetric encryption scheme with the session key is used to achieve confidentiality between the two parties. However, key exchange protocols without authentication are not secure against impersonation and intruderin-the-middle attacks. An authentication and key exchange (AKE) protocol is a key exchange protocol under which the established session key of two parties remains secret to other parties. Several famous AKE protocols [1][2][3] based on the traditional public-key systems [4,5] have been proposed to provide confidentiality and mutual authentication.
In 1985, Shamir [6] proposed an identity-(ID-) based public-key system that eliminates the certificate management in conventional public-key systems. In an ID-based publickey system, a user's public key is derived from the user's identity information, such as name, social security number, and e-mail address. However, Shamir's system is not practical.

Motivation.
With rapid growth of wireless communications, clients usually employ mobile devices (e.g., smart card) to obtain services from remote servers via open network channels. In a mobile client-server environment, these mobile devices are generally resource-constrained because they possess only low-power energy and limited computing capability. In this case, cryptographic operations with expensive computations would become heavy load for mobile devices. Hence, it is a critical issue to diminish the computational load of mobile devices in AKE or ID-based AKE protocols.
To overcome the resource-constrained situation on the client side, several AKE protocols [24][25][26] for mobile devices have been proposed for conventional public-key systems. Also, based on Boneh and Franklin's ID-based public-key setting, a number of ID-based AKE protocols for mobile devices [27][28][29][30][31][32][33] have been proposed to focus on the computation issue for mobile devices. These protocols above adopted an imbalanced computation technique to reduce the client's computational cost by shifting computational burden to a powerful server.
On the other hand, the offline precomputation technique is employed to lighten the online computational load of mobile devices. In the offline precomputation phase, ephemeral secrets (or random values) are required to generate some values in advance. In the meantime, the ephemeral secrets and these precomputed values are stored in the memory of mobile devices for the usage in the online phase. As a result, a new type of attacks would occur, called ephemeral-secret-leakage (ESL) attacks [34][35][36], in the sense that an adversary can reveal the private keys of clients from those precomputed values or the corresponding exchange messages if the ephemeral secrets are compromised. To our knowledge, the existing ID-based AKE protocols [27][28][29][30][31][32][33] did not address the ESL attacks at all. In the paper, we will construct an ID-based AKE protocol which is resistant to the ESL attacks under mobile client-server environments.

Related Work.
In 2002, Smart [19] proposed the first ID-based AKE (ID-AKE) protocol based on the Weil pairing. However, Shim [20] pointed out that Smart's protocol does not offer forward secrecy. Shim also presented a new ID-AKE protocol with the optimal number of Weil pairing operations. Afterwards, several ID-AKE protocols [21][22][23] were proposed to improve performance and achieve more security properties. However, the protocols mentioned above require bilinear pairing operations on both ends and are consequently not suited for low-power computing devices.
In 2005, Choi et al. [27] proposed an ID-AKE protocol for mobile client-server environments. They adopted an imbalanced computation technique which shifts the client's computational burden to a powerful server. In 2010, Wu and Tseng [28,29] also proposed two efficient ID-AKE protocols which do not require any bilinear pairing operations on the client side under mobile client-server environments. Their protocols are proved to be secure against ID attack, impersonation attack, and passive attack and offer mutual authentication, implicit key confirmation, and partial forward secrecy. In 2012, He [30] presented a new ID-AKE protocol to improve the performance of Wu and Tseng's protocol on client side. In addition, Islam and Biswas [31] and He et al. [32], independently, proposed ID-AKE protocols based on elliptic curve cryptography (ECC) without using bilinear pairings. Chuang and Tseng [33] proposed a generalized ID-based AKA protocol for mobile multiserver environments which is suitable for both general users with a long validity period and anonymous users with a short validity period. Chuang and Tseng's protocol is secure against all known attacks and provides forward secrecy. Indeed, all the mentioned ID-AKE protocols [27][28][29][30][31][32][33] adopted the precomputation technique to reduce the computational load of the mobile client. In such a case, as mentioned earlier, those ID-AKE protocols would be vulnerable to ESL attacks under mobile client-server environments.
In 2007, LaMacchia et al. [34] presented a strong security model for AKE protocols, which is concerned with the ESL attacks. They proposed a concrete AKE protocol resistant to ESL attacks. In their protocol, the leakage of ephemeral secrets would not damage the security of session keys and private keys of parties. In 2011, Ni et al. [35] proposed a strongly secure ID-AKE protocol which captures all basic security properties including the ESL resistance. Although Ni et al. 's protocol requires six bilinear pairing operations, one can employ the precomputation technique to reduce the computation cost if it knows the identity of the other party in communication beforehand. However, they did not address the scenarios for applications to mobile clientserver environments. In 2014, Islam [36] also proposed a provably secure ID-AKE protocol resistant to ESL attack. Islam's protocol still requires two bilinear pairing operations for a client.

Contribution and Organization.
In the paper, we propose a new ID-AKE protocol resistant to ESL attacks in mobile client-server environments, called ESL-secure ID-AKE protocol. In the proposed protocol, we also adopt the techniques of imbalanced computation and offline precomputation to reduce the computational cost required by a mobile client. Indeed, our protocol requires no bilinear pairing for mobile clients. Our protocol employs Tseng et al. 's ESL-secure signature scheme [37] to achieve the client-to-server authentication. Also, the offline precomputation is carried out prior to the execution of our protocol to achieve better performance. As compared with previously proposed protocols, our protocol is secure against the ESL attacks while retaining the computational performance. For security analysis, we first formalize the adversary's capabilities by redefining the adversarial model of ESL-secure ID-AKE protocols in mobile client-server environments. Under the computational Diffie-Hellman (CDH) assumption [7,12], we demonstrate that our protocol is provably secure in the random oracle model [38,39]. Finally, we discuss the relationship between our protocol and the extensible authentication protocol (EAP) for wireless networks [40][41][42][43]. It turns out that our ESL-secure ID-AKE protocol can be viewed as an authentication method of the EAP framework [40,41].
The remainder of this paper is organized as follows. In Section 2, mathematical assumptions are presented. An adversarial model of the ESL-secure ID-AKE protocols is presented in Section 3. The proposed ESL-secure ID-AKE protocol is presented in Section 4. In Section 5, we give security analysis of the proposed protocol. Performance comparisons and discussions are given in Section 6. Finally, conclusions are drawn in Section 7.
International Journal of Distributed Sensor Networks 3

Preliminaries
In this section, we compendiously introduce the concept of bilinear pairings, the related mathematical assumptions, and the notations used throughout this paper.

Security
Assumptions. Let 1 , 2 , and̂be defined as above. Here, we define a security assumption on which our scheme is based.
Definition 1. The CDH assumption in 1 is defined as follows. Given , , ∈ 1 for unknown , ∈ * , no probabilistic polynomial-time (PPT) adversary A can compute with a nonnegligible probability. The successful probability (advantage) of the adversary A is presented as where the probability is measured over the random choices of , ∈ * consumed by A.

Notations.
For convenience, the system parameters, notations, and functions used throughout this paper are defined as follows: : an admissible bilinear map from 1 × 1 into 2 ; : a generator of the group 1 ; : the system private key randomly chosen from * ; pub : the system public key defined by pub = ⋅ ; ID: the identity of a client; ID : the private key of the client ID;

Adversarial Model
Based on the security models in [34,35], we present an adversarial model of ESL-secure ID-AKE protocols for mobile client-server environments. In 2007, LaMacchia et al. [34] presented a strong security model of AKE protocols, which addresses the ephemeral-secret-leakage (ESL) attacks. Based on LaMacchia et al. 's model, Ni et al. [35] defined the security model of strongly secure ID-AKE protocols (or named ESLsecure ID-AKE protocols) by adding the key extract query. Their model is a modification of LaMacchia et al. 's model altered from the conventional PKI-based setting to the IDbased setting.
In the following, we first describe an adversary's capabilities of ESL-secure ID-AKE protocols for mobile clientserver environments. In our adversarial model, we assume that an adversary A is a probabilistic polynomial-time (PPT) algorithm and potentially control all communications by accessing to a set of oracles described below. In the following, we will denote the th instance of the participant ∈ { , } by Π , where and indicate a client and the powerful server, respectively.
Hash Queries ( ). The oracle Π keeps an initially empty list for each hash function. Upon receiving the hash query along with a message , the same response is returned if the query has been asked before. Otherwise, the oracle Π selects a random value , records the pair ( , ) in the list, and returns to the adversary A.
(i) Extract (ID): upon receiving such a query, the oracle Π computes the private key ID associated with ID and returns it to the adversary A. This query models ID attacks.
(ii) Send (Π , ): upon receiving such a query, the oracle Π executes the protocol according to and responds the corresponding results to the adversary A. This query models passive attacks.
(iii) Reveal (Π ): upon receiving such a query, the oracle Π outputs the corresponding session key SK if the oracle has accepted the session; otherwise, it returns a null value. This query addresses the known-sessionkey security, in the sense that a compromised session key should not endanger other session keys.
(iv) Ephemeral-secret-leakage (Π ): this query models ephemeral-secret-leakage attacks. When the adversary A issues this query, the oracle Π returns the used ephemeral secret values (or random values) in the corresponding session. Note that, in our adversarial model, A is forbidden to issue this type of query on the server .
(v) Corrupt (Π ): this query models partial forward secrecy. The adversary A can issue such a query on a client to obtain the private key of . Therefore, a compromised private key should not endanger any previous session key between the client and the server. Here, as in [34,35], the adversary A can issue 4

International Journal of Distributed Sensor Networks
Ephemeral-secret-leakage query or Corrupt query, but not both.
(vi) Test (Π ): when the adversary A sends such a query, the oracle flips an unbiased coin . If = 1, then the oracle Π returns the session key SK; otherwise, it returns a random value. A is allowed to issue such a query only once to the oracle Π .
Here, we present the adversarial model of ESL-secure ID-AKE protocols. The reader is referred to [34][35][36] for detailed descriptions.
Definition 2 (partnership). One says that Π and Π are partners if they can authenticate mutually and accept a common session key.
Definition 3 (freshness). An oracle Π with partner Π is fresh if the following conditions hold: (1) Π and Π accept a session key SK ̸ = NULL while both of them are not requested by Reveal query; (2) no Corrupt query can be issued before the query Send (Π , ) or query Send (Π , ) is asked.
Definition 4 (ESL-secure ID-AKE security). An ESL-secure ID-AKE protocol for mobile multiserver environments offers existential unforgeability and possesses the secrecy of session key against adaptive chosen ID attacks if no PPT adversary A has a nonnegligible advantage in the following game played between A and a set of oracles Π , where ∈ { , }.
(1) The adversary A may ask a finite number of various queries and obtain responses from the corresponding oracles.
(2) Every user is assigned a private key via the key extract phase after the system setup phase accomplishes.
(5) The adversary A may adaptively make further queries before Test (Π ), where Π must be fresh. Finally, A outputs its guess for the bit which has been previously chosen in the Test (Π ).

Definition 5 (advantage). Let Succ denote the event that
A correctly guesses the bit chosen in the Test query. If A asks a Test (Π ) and guesses the bit b, the successful advantage (probability) of A in attacking the ESL-secure ID-AKE protocol P is defined as Adv P (A) = |2 ⋅ Pr[Succ] − 1|.
One says that the ESL-secure ID-AKE protocol P is secure if Adv P (A) is negligible.
Definition 6 (partial forward secrecy). An ESL-secure ID-AKE protocol P provides partial forward secrecy if any adversary A with client C's private key cannot compromise previous session keys between and the server.  Definition 7 (implicit key authentication). An ESL-secure ID-AKE protocol provides implicit key authentication if every client is assured that no other clients can learn its session keys with the server.

Our Protocol
In this section, we present our concrete ESL-secure ID-AKE protocol for mobile client-server environments. Our protocol consists of three phases, namely, the system setup phase, the key extract phase, and the mutual authentication and key agreement phase.

System Setup Phase.
Our system consists of a powerful server and some mobile clients. These clients refer to users with handheld devices. A client has access to the server through open channels, such as the Internet or wireless networks. The powerful server is responsible for generating and distributing private keys to clients while providing services or applications. The server is also responsible for generating the system parameters.
In the phase, the server first generates two cyclic groups 1 and 2 of a large prime order , an admissible bilinear map : 1 × 1 → 2 , and a random generator of 1 , where 1 and 2 are additive and multiplicative groups, respectively. The server then performs the following tasks: (1) randomly select a system private key ∈ * ; (2) compute the system public key pub = ⋅ ; where is a fixed length with 2 < ; (4) publish public parameters and functions as

Key Extract Phase.
In the key extract phase, a client submits its identity ID to the server and receives the corresponding private key ID . The key extract phase is depicted in Figure 1. We present the detailed procedures as follows.
(1) The client submits its identity ID to the server .

Mutual Authentication and Key Exchange
Phase. Suppose that a client with identity ID would like to communicate with the powerful server and to access services of the server. As depicted in Figure 2, the detailed interactions between the client and the server are presented as below.
(3) Upon receiving ⟨ , Auth ⟩, the client authenticates the server by performing the following tasks.
On the other hand, we have = since = ⋅ 2 = ⋅ ⋅ ID,2 = ⋅ ID,2 = . And, in this case, we say that Auth and Auth are valid, and the client and the server have established a common session key SK.

Security Analysis
In this section, we present the security analysis of our proposed protocol in the random oracle model [38,39]. In the following, five theorems are given to prove that the proposed protocol achieves the security requirements of ESL-secure ID-AKE protocols for mobile client-server environments. These security requirements include clientto-server authentication, server-to-client authentication, key agreement, implicit key confirmation, and partial forward secrecy. In Theorems 8 and 10, we show that the proposed protocol provides the client-to-server and server-to-client authentications under ID, impersonation, and ephemeralsecret-leakage attacks, respectively. Hence, the proposed protocol offers mutual authentication. In Theorem 9, we will show that the proposed protocol provides secure key agreement under known-session-key attacks. Furthermore, the implicit key confirmation and partial forward secrecy are achieved by Theorems 11 and 12, respectively.

Client-to-Server Authentication.
First, we prove that an adversary cannot impersonate a legitimate client to communicate with the server under the CDH assumption. We establish this by the methods similar to those in [24,28], in which a Simulation B is employed to simulate all the queries and oracles which occurred in our proposed protocol. In the following, we use the notations Π and Π to indicate the th instance of the server and the th instance of a client C, respectively.

Theorem 8. Assume that a probabilistic polynomial-time (PPT) adversary A can violate the client-to-server authentication with a nonnegligible advantage by making at most , ,
Proof. We assume that there is a probabilistic polynomialtime algorithm A with an advantage 0 within time 0 to perform adaptive chosen message attacks, ID attacks, and ephemeral-secret-leakage attacks to our proposed protocol. By Lemma 1 in [12], A can break the protocol with an advantage ≤ 0 (1 − 1/ )/ 1 within running time ≤ 0 under adaptive chosen message, ephemeral-secret-leakage, and fixed-ID attacks. Without loss of generality, we set ID as the fixed target identity. If the oracle Π of the server accepts with no partner, it means that A has successfully impersonated the client to the server and violated the client-to-server authentication.
Next, we would like to construct an algorithm B to solve the CDH problem by appealing to A. Namely, upon receiving a random instance ( , , ) in 1 with unknown , ∈ * , the algorithm B is able to derive by interacting with A. Here, we will adopt the methods similar to those in [24,28] and Tseng et al. 's ESL-secure signature scheme [37] to achieve the client-to-server authentication. To simulate the actual situations, we employ the algorithm B (called Simulation B) to make the initialization and respond to A according to our protocol.
(i) Initialization: at first, Simulation B generates the system parameters ⟨ 1 , 2 , , ,̂⟩ and sets the system public key pub = ⋅ , where is the system private key. Simulation B then sends the public parameters to A. Simulation B maintains the lists 1 , 2 , and , = 1, . . . , 4, to respond consistently without collision to the hash queries 1 , 2 , and , = 1, . . . , 4. These lists are initially empty.
(ii) 1 (ID, ID,1 ): upon receiving such a query, the same response is given if the query has been asked before. Otherwise, B randomly selects a value 1 ∈ {0, 1} , records the tuple (ID, ID,1 , 1 ) in the list 1 , and returns 1 to A.
(vi) 1 (ID): upon receiving such a query, the same response is given if the query has been asked before. Otherwise, B selects a random value ∈ * and sets ID,2 = ⋅ − if ID = ID ; ID,2 = ⋅ , otherwise. Simulation B records the tuple (ID, , ID,2 ) in 1 and returns ID,2 to A.
(vii) 2 ( 1 , 2 ): upon receiving such a query, the same response is given if the query has been asked before. Otherwise, B selects a random value ∈ * , records the tuple ( 1 , 2 , = ⋅ ) in 2 , and returns to A.
International Journal of Distributed Sensor Networks 7 (viii) Extract (ID); upon receiving such a query and ID ̸ = ID , B accesses to the corresponding tuples (ID, ID,1 , 1 ) and (ID, , ID,2 ) in the lists 1 and 1 , respectively. And then, Simulation B chooses a random value V and returns the private key ID = ( ID,1 = V, ID,2 = ⋅ pub , ID,1 = V ⋅ − 1 ⋅ pub ) to A. If ID = ID , B aborts.
(ix) Ephemeral-secret-leakage (Π ): when A issues this query, B returns the ephemeral secret value adopted in the corresponding session. This query models ephemeral-secret-leakage attacks. Note that A needs not to issue this query to the server since, in our protocol, no ephemeral secret value is used on the server side.
(x) Send queries: there are four cases.
(3) Upon receiving the Send (Π , ⟨ , Auth ⟩) with C's identity ID distinct from ID , B computes = ⋅ ⋅ pub = ⋅ ID,2 and checks whether the equality Auth = 2 (ID, 1 , 2 , , , ) holds. If the equality holds, the oracle Π accepts the session. Then B computes Auth = 3 (ID, 1 , 2 , , , , Auth ) and returns ⟨Auth ⟩ to A. Otherwise, B declines the request. On the other hand, if ID = ID , B selects a random value Auth ∈ {0, 1} and returns ⟨Auth ⟩ to A. In this case, A is unable to verify the validity of ⟨Auth ⟩ due to the lack of ID,2 and = ⋅ ID,2 .
By the responses to those queries above, B is perfectly indistinguishable from the proposed protocol. If A could violate the client-to-server authentication with a nonnegligible advantage, it would be required to send two valid messages ⟨ID, 1 , 2 , , ID,1 ⟩ and ⟨Auth ⟩ to the oracle Π . In such a case, since ⟨ID, 1 , 2 , , ID,1 ⟩ is valid, it must satisfy the equalitŷ( , ) =̂( 1 + ID,1 , ) ⋅̂( pub , ℎ ⋅ + ID,2 ), where = 2 ( 1 , 2 ), ℎ = 1 (ID, ID,1 ), and ID,2 = 1 (ID). We also know that ⟨ID, 1 , 2 , , ID,1 ⟩ can be viewed as a signature on the message 2 as in Tseng et al. 's ESL-secure signature scheme [37]. Hence, if A can violate the client-to-server authentication, B can solve the CDH problem with a nonnegligible advantage by adopting the same approach in [37]. On the other hand, to generate a valid message ⟨Auth ⟩, A must obtain ID,2 since ⟨Auth ⟩ is derived from which is exactly ⋅ ID,2 (here, we assume that A can obtain the ephemeral secret value via ESL attacks). This enables B to resolve the CDH problem ( , , ) in 1 with unknown , ∈ * , namely, to evaluate by computing ⋅ − ID,2 since is a known value in the list 1 and ID,2 = ⋅ ID,2 due to the tuple ⟨ , pub = , ID,2 = ⋅ − ⟩. Therefore, the proposed protocol is secure against adaptive chosen message attacks, ID attacks, and ephemeral-secret-leakage attacks and provides the clientto-server authentication.

Key Agreement.
In the following, we prove that the proposed protocol provides key agreement under the CDH assumption. Simulation B is used to simulate the actual situation in our protocol.

Theorem 9.
Assume that a PPT adversary A can guess the value correctly involved in the Test query with a nonnegligible advantage by making at most , , 1 , 2 , and queries, for = 1, . . . , 4, respectively, to the Π oracle of the server and the Π oracle of the client , 1 , 2 , and for = 1, . . . , 4. Then there is a challenger B that can solve the CDH problem with a nonnegligible advantage.
Proof. Firstly, we know that the adversary A can guess the unbiased coin correctly with the probability 1/2 in the Test query. Let the symbol Osk denote the event that A obtains the correct session key. Assume that A can guess the value correctly with a nonnegligible advantage . Hence, A obtains the correct session key with the advantage Without loss of generality, we denote by the symbols Test (Π ) and Test (Π ), respectively, the successful events of obtaining the correct session key in the Test query to the client and the server. Note that A can issue the Test query to the client or the server. Because the client actively connects to the server, we have the inequality for some instances and of the server and the client , respectively. In the following simulation, we employ the algorithm B (called Simulation B) to make the initialization and to respond to A according to our proposed protocol. Without loss of generality, we set ID as the fixed target identity.
(ii) Extract (ID): it is the same as in the proof of Theorem 8.
(iv) Reveal (Π ): on receiving such a query, Simulation B returns the associated session key SK if the corresponding oracle accepts the session; otherwise, it returns a null value. This query addresses the knownkey security in the sense that a compromised session key should not endanger other session keys.
(v) Ephemeral-secret-leakage (Π ): this query models ephemeral-secret-leakage attacks. When A issues this query, B returns the ephemeral secret value adopted in the corresponding session.
(vi) Corrupt (Π ): this query models partial forward secrecy. The adversary A can issue this query to a client to obtain its private key. Therefore, a compromised private key should not endanger previous session keys between the client and the server. Note that, as in [34,35], A can issue either Ephemeralsecret-leakage query or Corrupt query, but not both.
(vii) Test (Π ): when the adversary A sends such a query, the oracle Π flips an unbiased coin . If = 1, then the oracle returns the session key SK; otherwise, it returns a random value. A is allowed to issue this query only once to the oracle Π .
In the simulation above, Simulation B is perfectly indistinguishable from the proposed protocol unless the event Event 2 occurs. And, we can see that the event ∃ , Osk ∧ Test (Π ) is equal to the event ∃ , Osk ∧ Test (Π ) ∧ ¬Event 2 so that we have Pr[Osk ∧ Test (Π )] ≥ /2 − Pr 2 . Hence, by the simulation of the oracle Π of the client C, we have Pr [SK = 4 (ID, 1 , 2 , , , , Note that, if is nonnegligible, the probability /2 − Pr 2 is also nonnegligible since the probability Pr 2 is negligible by Theorem 8. Also, A can obtain the ephemeral secret value by the ESL attacks. Now, we assume that pub = and ID,2 = . Then, we have 1 = ⋅ and 2 = ⋅ ID,2 = ⋅ . Therefore, if A could obtain the session key SK with a nonnegligible probability, it means that A has obtained . In this case, given ( 1 , 2 , pub ) = ( ⋅ , ⋅ , ), A has obtained = ⋅ ID,2 = ⋅ . Thus, B can evaluate by computing −1 ⋅ so that B solves the CDH problem with a nonnegligible advantage.

Server-to-Client Authentication.
In the following theorem, we prove that an adversary cannot impersonate the server to communicate with the client under the CDH assumption.
Theorem 10. If a PPT adversary A can violate the server-toclient authentication of our proposed protocol with a nonnegligible advantage, then there is a challenger B which can solve the CDH problem with a nonnegligible advantage.
Proof. Here, we employ an algorithm B (called Simulation B) to make the initialization and to respond to the adversary A according to our proposed protocol. As in the proof of Theorem 9, the Simulation B is perfectly indistinguishable unless the event Event 2 occurs. Since the probability Pr 2 is negligible by Theorem 8, we can assume that Event 2 does not occur.
Let the symbol Event 2 denote the event violating the server-to-client authentication. If the event Event 2 occurs, there is an instance of the client which has accepted the session with no legal partner. Namely, the oracle Π has issued (ID, 1 , 2 , , ID,1 ) and received ( , Auth ), where the latter is not generated by an oracle Π . Therefore, one of the following three cases must have happened.   Next, we discuss the probability for each of the three cases. It is obvious that the probability of Case 1 is less than /2 and the probability of Case 2 is ( / )( − 1), which is less than 2 / . The probability of Case 3 can be denoted by Pr[(ID, 1 , 2 , , , ) | 1 , 2 , pub ∈ 1 , = ⋅ 2 ]. Thus, As before, A can obtain the ephemeral secret value by the ESL attacks. Now, we assume that pub = and ID,2 = . Then we have 1 = ⋅ and 2 = ⋅ ID,2 = ⋅ with unknown , ∈ * . In this case, given ( 1 , 2 , pub ) = ( ⋅ , ⋅ , ), A can compute = ⋅ 2 = ⋅ with a nonnegligible probability. Therefore, if A could obtain the session key SK, it would be able to compute . In such a case, B can use A to obtain swP. Therefore, B can solve the CDH problem with a nonnegligible advantage.
Hence, by assuming that A can violate the server-to-client authentication with a nonnegligible advantage , B then solves the CDH problem with the advantage ≥ − /2 − 2 / . Therefore, under the CDH assumption, our proposed protocol provides the server-to-client authentication.

Implicit Key Confirmation
Theorem 11. Under the CDH assumption, our proposed protocol offers implicit key confirmation in the random oracle model. Proof. We say that an ID-AKE protocol provides implicit key confirmation if the protocol assures that the server/client can compute a session key which no others can produce. By Theorems 8 and 10, the client and the server can authenticate each other in the random oracle model under the CDH assumption. In Theorem 9, we have proved that an adversary cannot compute the session key. Therefore, our proposed protocol provides implicit key confirmation.

Partial Forward Secrecy
Theorem 12. Under the CDH assumption, our proposed protocol offers partial forward secrecy in the random oracle model.
Proof. If the adversary A corrupts the secret key of the server, then all the previous session keys can be recovered (from the transcripts) since A can then compute = ⋅

Performance Comparisons and Discussions
For convenience, the following notations are used to analyze the performance: By the simulation results in [44,45], , mul , exp , and are more time-consuming than add and , in which is the most time-consuming operation. Here, we list the simulation result of pairing-based operations with a resource-constrained mobile device. Scott et al. [44] gave the computational costs needed for various pairingbased operations under the Philips HiPersmart card with the processor of maximum clock speed 36 MHz. For the Ate pairing system in [44], a popular and valid choice would be to use a supersingular curve over a finite field ( ), with = 512 bits and a large prime order = 160 bits. Table 1 lists the experimental data for related pairing-based operations on the Philips HiPersmart card.
In the following, we analyze the computational cost of the proposed protocol. In our protocol, the client side requires 4 mul + and does not require any bilinear pairing operation. Furthermore, the client can perform offline computations in advance in Step 1 of the mutual authentication and key exchange phase described in Section 4.3. Hence, the mutual authentication and key exchange phase requires only mul for online computation on the client side. On the other hand, the server side performs Steps 2 and 4 to authenticate a client with a session key. It requires 3 + 2 mul + 2 . As for the communicational cost, the bit length of communication between a client and the server is bounded by 4| | + 4| 1 |.
In Table 2, we demonstrate the comparisons among Ni et al. 's protocol [35], Chuang and Tseng's protocol [33], Islam's protocol [36], and ours in terms of the computational cost, communicational cost, and ESL security. As mentioned in Section 1, both the proposed protocols of Ni et al. and Islam fulfill all basic security properties including ESL resistance, while Chuang and Tseng's protocol cannot withstand ESL In the following, let us discuss the relationship between our protocol and the extensible authentication protocol (EAP) for wireless networks [40][41][42][43]. Typically, the EAP standard or framework [40,41] is viewed as an authentication framework independent of the underlying authentication technology. Under the EAP framework, many authentication protocols have been proposed, and each of them has various advantages and weaknesses. As in [42], our ESL-secure ID-AKE protocol might be viewed as an authentication method of the EAP framework, without relying on PKI (public key infrastructure). In such a case, there is no need for the management of certificates and the deployment of certification authority (CA).
Most EAP authentication protocols lack identity protection or user anonymity. In this paper, we focus on optimizing the authentication process but do not address the issue of user anonymity. Indeed, as mentioned in Section 1.2, Chuang and Tseng's ID-AKA protocol [33] is suitable for general users (with a long validity period) and anonymous users (with a short validity period) as well. Generally, ID-based or certificate-based authentication protocols must rely on other techniques (e.g., Universal Subscriber Identity Module of cellular networks) to provide user anonymity [42]. In addition, the reader can refer to [43] for the privacy protection issue of authentication protocols in the EAP framework.

Conclusions
In the paper, we proposed an efficient ESL-secure ID-AKE protocol for mobile client-server environments. Under the CDH assumption, our protocol is provably secure to provide mutual authentication, key agreement, implicit key confirmation, partial forward secrecy, and resistance to the ESL attacks in the random oracle model. We adopt the imbalanced computation to reduce the computational cost required by a mobile client. In addition, a mobile client may perform offline precomputation to reduce the online computational cost. When compared with previously proposed ID-AKE protocols for mobile client-server environments, our protocol has higher security and better computational performance.