An Efficient and Provably Secure Anonymous User Authentication and Key Agreement for Mobile Cloud Computing

. Nowadays, due to the rapid development and wide deployment of handheld mobile devices, the mobile users begin to save their resources, access services, and run applications that are stored, deployed, and implemented in cloud computing which has huge storage space and massive computing capability with their mobile devices. However, the wireless channel is insecure and vulnerable to various attacks that pose a great threat to the transmission of sensitive data. Thus, the security mechanism of how the mobile devices and remote cloud server authenticate each other to create a secure session in mobile cloud computing environment has aroused the interest of researchers. In this paper, we propose an efficient and provably secure anonymous two-factor user authentication protocol for the mobile cloud computing environment. The proposed scheme not only provides mutual authentication between mobile devices and cloud computing but also fulfills the known security evaluation criteria. Moreover, utilization of ECC in our scheme reduces the computing cost for mobile devices that are computation capability limited and battery energy limited. In addition, the formal security proof is given to show that the proposed scheme is secure under random oracle model. Security analysis and performance comparisons indicate that the proposed scheme has reasonable computation cost and communication overhead at the mobile client side as well as the server side and is more efficient and more secure than the related competitive works.


Introduction
Mobile cloud computing (MCC) is introduced as services of cloud computing, which is offered in mobile devices such as smart phones and tablets environment [1]. In MCC, mobile users can access resources, applications, and running results stored in the cloud and can deploy and implement a variety of services through cloud computing, enabling mobile devices to increase computing power and to increase storage capacity and contextual awareness. According to Mordor Intelligence's research, in 2023 the MCC market will generate revenues of $94.75 billion (online, 2018) [2]. However, wireless channels supporting communication between mobile devices and the cloud service providers are insecure and are vulnerable to many kinds of attacks like impersonation attack, replay attack, and interception (see Figure 1). Additionally, when the mobile devices access cloud computing services, seamless connectivity will be required while roaming across the heterogeneous network, but their security policies vary greatly which leads to inefficiency. In addition, mobile devices have relatively limited computation capability and energy as compared with traditional computers or laptops. Therefore, a secure and efficient authentication mechanism between the mobile devices and the cloud service provider to ensure the legitimacy of each other is indispensable in preventing illegal access and withstanding potential attacks through wireless channels by the adversary.
According to the comments above, two primary issues should be considered in designing a remote user authentication scheme for mobile devices in MCC: (1) Security. Since the authentication request and the relevant messages are transmitted over public channel, the roaming authentication mechanism verifies the identity legitimacy of mobile devices while withstanding the well-known attacks launched by the adversary so as to ensure that the private data such as the identity and the geographical location are not leaked and tracked.
(2) Efficiency. Efficiency should be taken intensively into account for the mobile devices. As mentioned above, mobile devices are constrained by computation capability and energy, and the authentication process passes through the heterogeneous network, which means latency and packet loss.
Therefore, improving security and reducing computation cost and communication overhead are very important for developing a practical authenticated scheme.

Related Works.
Authentication protocols play an important role in preventing any unauthorized access from an adversary or malicious user for net-based services. Most of the traditional authentication protocols are based on public key cryptography like RSA. However, RSA cryptosystems heavily consume computation resources and have a lengthy key size making the traditional authentication schemes inefficient in mobile devices that are resource constrained. Elliptic curve cryptography (ECC) [3,4], compared with the other public key cryptography, such as RSA, provides the same security level in RSA with smaller keys and faster computation; e.g., a 160-bit ECC based public key can provide the security level of a 1024-bit RSA based public key and a 256-bit ECC based public key has the same security level as a 3072-bit RSA public key [5]. Therefore, the authentication schemes based on ECC are more beneficial for mobile devices than other cryptosystems.
To access the resource at the remote server, the most convenient and simplest mechanism is the password-only authentication schemes [6][7][8][9][10]. If the user wants to login to the remote server, he must submit his identity and password to the server. Upon receiving the login request, the server checks whether the submitted identity and password are equal to the identity and password stored in the table. If the user's identity and password match the corresponding pair of the table, the user passes authentication of the remote server and is authorized to access the system. To achieve higher security, the password is salted with a hash function in the login request. In general, these schemes only use the single factor of password to secure the security of the system, which is prone to suffer from online or offline password guessing attack [11,12].
To overcome this issue and further improve the system security, Das firstly proposed a two-factor authentication scheme in 2009 [13], i.e., using password and smartcard, which provides greater flexibility for authentication and inspired many subsequent relevant works [14][15][16][17]. Das claimed that his scheme has the advantage of employing simple hash function, requiring less communication cost, and is secure against known attacks. Unfortunately, many researchers [14-16, 18, 19] examined Das's scheme and identified several security weaknesses (such as insider attack, impersonation attack, and offline password guessing attack) and then put forward many improved versions.
In 2014, Islam-Biswas [20] put forward a two-factor authentication scheme on ECC for cloud computing, and claimed that their protocol is not only efficient but also secure enough to fulfill the security requirements of many authentication scenarios. However, Sarvabhatla-Vorugunti [21] found that Islam-Biswas's scheme [20] fails to resist replay attack and is defenseless to impersonation attack, and they then they proposed an enhanced two-factor authenticated scheme to thwart the security weakness. However, extensive use of scalar multiplication made their work inefficient. Qu-Tan [22] presented a new two-factor user authentication and key agreement scheme on ECC to overcome some security weaknesses such as smartcard loss attack in the previous schemes. However, Huang et al. [23] analyzed Qu-Tan's scheme [22] and pointed out that their scheme was unable to withstand impersonation attack, and a new enhanced key agreement for authentication was introduced by Huang et al. to mitigate the chances of security weakness. Unfortunately, Chaudhry et al. [24] found that Huang et al. 's scheme [23] was subjected to impersonation attack and has correctness issues. They introduced an improved two-factor authentication scheme over Huang et al. 's protocol [25] and claimed their scheme can resolve all the correctness issues in the previous one. However, we found that Chaudhry et al. 's scheme [24] is vulnerable to smartcard loss attack.
Independently, Farash-Attari [26] proposed an authenticated protocol to protect data transmission on ECC for mobile client-server networks. Chaudhry et al. [27] proposed an improved smartcard based authenticated protocol for telecare medical information. Xie et al. [28] extended the security model of authentication and presented a dynamic ID-based two-factor authenticated scheme to achieve user anonymity and overcome smartcard loss attack. Lu et al. [29] proposed an anonymous two-factor authentication scheme to eliminate the security weaknesses in the previous schemes for session initiation. Chang et al. [25] proposed an enhanced scheme for IoT and cloud server to fix the security issue of inability to provide mutual authentication and the mistiness of the session key, and retains the merits of the previous one. Kumari et al. [30] also proposed an improved authenticated scheme using ECC for IoT and cloud server and claimed their proposal is resistant to known attacks. The common feature of these schemes is that they support two-factor authentication and make use of ECC to enhance security. Unfortunately, most of these two-factor authentication schemes and the similar kinds were pointed out that they cannot achieve truly two-factor security since they are vulnerable to smartcard lost attack.
In recent years, there are some other ECC based authentication protocols that were proposed for mobile devices [31][32][33][34][35]. Yet, there is a common issue in these schemes; that is, the authentication process between mobile devices and the remote server must be done with the help of the third party, which makes their communication overhead substantially higher.
In summary, according to the analysis above, most of the existing authentication schemes ultimately turn out to have defects as follows: (1) High computation cost and high communication overhead result in the impracticality of their scheme.
(2) Not being able to preserve the user privacy leads to the tracking of sensitive information such as identity and location by the adversary.
(3) The security properties of their schemes are evaluated by using their own evaluation criteria, rather than the well-known third-party evaluation criteria.

Our Contributions.
Considering the comments above, a desirable remote authentication scheme for mobile cloud computing services should ensure efficiency while providing appropriate security. In this paper, we present a secure and efficient anonymous two-factor authentication and key agreement scheme for MCC by employing ID-based ECC with pairing-free. The contributions of the proposed scheme are summarized as follows: (1) Privacy-preserving. Preserving user anonymity and providing untraceability are the strong demand of the mobile client, and our protocol fulfills these security requirements.
(2) Not requiring the additional third party. In our scheme, the participants, except for the mobile client and the cloud server, and the authentication process do not involve the trusted third party like the home agent.
(3) Strong security and efficiency. The proposed scheme employs "fuzzy verifier" technique to resist offline dictionary attack and fulfills the security evaluation metrics; meanwhile, the performance comparison with the related two-factor schemes shows that our scheme has a better tradeoff between the security requirements and the performance.

Security Evaluation Criteria.
In order to evaluate the security properties of our scheme more fairly, we will adopt the widely accepted evaluation criteria as the third-party security evaluation criteria. We brief the security evaluation criteria as follows.
(1) C1: No password verifier-table. The server should not maintain a table to store the password of user.
(2) C2: Password friendly. The scheme should provide a mechanism for the user to the change password locally. (3) C3: No password exposure. The privileged insider cannot derive the user password. (4) C4: No smart card loss attack. If the user's smart card is lost or stolen and obtained by the attacker, the attacker cannot reveal the identity and password of the user. (5) C5: Resistance to known attacks. The scheme should be secure against basic/sophisticated attacks, such as offline password guessing attack, impersonation attack, and replay attack.

Organization of This
Paper. The rest of the paper is organized as follows. Some preliminaries are given in Section 2. Section 3 presents our two-factor authentication scheme for MCC and the security analysis of the proposed scheme is given in Section 4. The performance comparisons are discussed in Section 5. We concluded this paper in Section 6.

Elliptic Curve Cryptosystem (ECC).
Let F p be the prime field and / denotes an elliptic curve over a finite , defined by an equation 2 mod p = ( 3 + ax + b) mod p, a, b∈ with (4a 3 + 27b 2 ) mod p ̸ = 0. The point on / together with an extra point is called the point as "point at infinity." The additive elliptic curve group is defined as G={(x, y): x, y∈ and (x, y) ∈ (a, b)} ∈ { } and we call the point O "point at infinity." Let P,Q∈G, l be the line containing and Q (tangent line to / if P=Q) and the third point R intersecting with / . Let be the line connecting and . Then P '+' Q is the point such that intersects / at and and P '+' Q. The scalar multiplication on / can be computed as kP=P+P+. . .+P (k times).
More details of the ECC definition can be found in [3].

Computational Problem.
We review the following mathematical problems on elliptic curves in order to prove the security of our proposed protocol: Elliptic Curve Discrete Logarithm (ECDL) Problem: Given Q, P∈G, finding an integer ∈ * such that Q=aP∈G is hard.
Elliptic Curve Factorization (ECF) Problem: Given (P, Q)∈G, where Q = rP + tP and r, ∈ * and computation of rP and tP is impossible.

Adversary Model.
Understanding the adversary capabilities is extremely important for designing a truly secure protocol. In this section, we conclude the adversary model used in this paper based on [35] as follows: (1) An attacker may control the insecure channel between the related parties. That is to say, the attacker can intercept, eavesdrop, replay, modify, delete, or insert messages over the public channel.
(2) An attacker can extract the secret data stored in the smartcard by side-channel attack [36,37] or differential power attack [38].

Proposed Scheme
In this section, we shall describe the details of our anonymous two-factor user authentication scheme for MCC. The proposed scheme consists of three phases: system setup, registration, and authentication.

System Setup.
The purpose of this phase is to generate the initial parameters for the future user registration and authentication. The working process is as follows and the notations are as defined above: (1) Choose an elliptic curve over a prime field ; (2) Select the master key ∈ * and set =sP as the public key; (4) Select an integer ∈ [2 4 ,2 8 ] as the parameter of fuzzy verifier.

Registration.
In this phase, MC with identity ID wants to register to the cloud server CS and CS generates registration information and delivers them to MC . The messages to be exchanged in this phase are illustrated as follows: The detail of this phase is shown in Figure 2.

Authentication.
In this phase, mutual authentication between MC and CS shall be accomplished. Meanwhile, the session key shared between them is generated. MC and CS perform the following steps: (1) MC → CS: {PID , 1 , 2 }. MC keys his/her ID and PW , the smartcard computes RP * =h( ||PW ), 2 * = ⊕(h(ID ||RPW ) mod m). If 2 * = 2 , the card accepts MC , selects a random number ∈ * , and computes 1 =r P, 2 =r 1 , 2 } as a login request to CS via a public channel. Otherwise, it aborts this session.

Password Update.
When the password of MC is leaked out, our proposed scheme can change the password flexibly. MC performs the following steps to change the password: (1) MC inserts the smartcard and keys ID , PW .

Smartcard Revocation.
If MC 's smartcard is breached, to protect the card from being abused, MC can revoke the card as follows: (1) MC performs step (1) in Section 3.3 to get authenticated by the card.
(3) Upon receipt of revocation request from MC , CS first validates the legitimacy of MC . If it is true, CS sets , , and SCN as null. Thus, the card is revoked so that the card can no longer be used to login to the system unless MC registers again. Otherwise, CS rejects this revocation request.

Security Analysis
In this section, we provide an informal security analysis of the proposed scheme on satisfying the security evaluation criteria of two-factor authenticated protocol, and a formal security analysis to demonstrate that our scheme is secure under random oracle model [39].

Informal Security Analysis
4.1.1. User Anonymity and Privacy. Privacy is of great importance in the area of mobile cloud computing [40][41][42]. It means that the attacker cannot determine the sender of the messages and also cannot distinguish whether the messages are sent by the same sender. In our scheme, user's ID is hidden in PID , which is different with h( 1 || 3 ) because 3 is changed with in every session. To retrieve ID , the adversary has to compute 3 . However, he/she will fail because he/she has no knowledge of and . Thus, the adversary cannot get the MC 's identity by computing (ID || 1 )=PID ⊕h( 1 || 3 ). Therefore, the proposed scheme achieves not only user anonymity but also untraceability.

Forward Secrecy.
In our scheme, the session key SK=h(ID ||ID || 2 || || ), where 2 =sX 1 , Y=r P, and =r X 1 =r r P. That is to say, the session key is generated with partial key information provided by MC and CS respectively and dealt with a hash function. Although the adversary can intercept 1 and in the public channel, to compute 2 = sX 1 and =r X 1 =r r P, he/she needs to know the secret key s and the random number of CS, or the random number of MC . However, his/her dream will not come true due to the hardness of ECDL problem and CDH problem.

Mutual Authentication.
In the proposed scheme, CS with s verifies the legitimacy of MC by checking 1 . If 1 is valid, CS authenticates MC . On the other hand, MC authenticates CS by checking 3 and CS will pass the test if 3 is valid. Thus, the proposed scheme achieves mutual authentication.

Offline Dictionary Attack.
Suppose the lost/stolen smartcard is obtained by the adversary and he/she reveals the secret information { 1 , 2 ,ID ,h(⋅), P, K , m} from the smartcard by performing the side-channel attacks [36,37] and fully controls the public channel. We will use two aspects to demonstrate that the proposed scheme is secure against offline dictionary attack.
If the adversary uses 2 and conduct an offline dictionary attack as follows: (1) The adversary chooses a pair (I * ,P * ) from the dictionary space of and , respectively.
(2) The adversary computes RPW'=h(r || * ) and D 2 ' =r ⊕(h( I * ||h (r || * ) mod m). (3) The adversary verifies the correctness of I * and P * by checking whether D 2 ' = 2 holds. If it holds, the adversary has found a correct pair (ID ,PW ). Otherwise, the adversary will repeat step (1)∼(3) until D 2 ' = 2 . However, the adversary will not succeed for the following two reasons. First, the adversary has no knowledge of and is large enough to prevent the adversary from guessing successfully according to item (5) of the adversary model in Section 2.4, which results in failure of guessing ID and PW successfully. Second, suppose the adversary knows ; it is also infeasible for him/her to find a correct pair (ID , PW ) because the computation of 2 employs "fuzzy verifier" mechanism. For example, supposing | |=| |=10 6 and m=2 8 , there are | | * | |/m≈2 32 candidates of (ID , PW ) pair. Therefore, the number of (ID , PW ) candidates is too large for the adversary to conduct the offline dictionary attack successfully.
If the adversary uses 2 and guesses ID from 2 = h(ID || 2 ||PID ), PID and 1 are available from the public channel and 2 = sX 1 . However, the adversary cannot calculate 2 because he/she knows nothing about the secret key of CS. Therefore, the adversary fails to conduct such an attack.
In short, the proposed scheme is secure from dictionary attack.

Privileged Insider Attack.
In the proposed scheme, MC submits {ID , h( || PW )} to CS for registration. The password PW is protected with a random number and thus CS cannot learn MC 's PW and other useful information. Therefore, the proposed scheme is secure from privileged insider attack.

Replay Attack.
In our scheme, we make use of the random number mechanism to resist replay attack. In each session, the random number is generated by MC to compute the login request messages {PID , 1 , 2 }, and the random number is chosen by CS to compute the response messages {Y, 3 }. The freshness and validity of the messages are assured effectively by the random number mechanism for the current session. Therefore, the proposed scheme can withstand replay attack.

Verifier-Stolen Attack.
In our scheme, the verifier table {ID , , , SCN } stored in CS and these parameters are not security-related. The adversary cannot conduct any attack if he/she compromises this table. Therefore, the proposed scheme can resist verifier-stolen attack.

User Impersonation Attack.
If the adversary intends to impersonate MC , he will fail since he/she cannot guess the pair (ID , PW ) or replay the login request {PID , 1 , 2 } successfully as we analyzed above. Furthermore, if he/she chooses a random number and computes X 1 = r p, forges PID and , constructs the login request message {PID , X 1 , }, and sends it to CS. However, CS cannot compute the correct ID in the table according to the login request {PID , X 1 , } from the adversary, which results in the computed M ' not being equal to the received . This means that the adversary fails to impersonate MC . Therefore, the proposed scheme can withstand user impersonation attack.

Formal Security Analysis.
In this section, we use the random oracle model [39] to conduct a formal security analysis of the proposed scheme. For simplification, we adopt the security model of [43] as our security model. We will provide a security proof and a privacy proof of our scheme, and they are similar to [43]. But there are two differences, one is because their authentication schemes are based on modular exponentiation, their security analyses are also based on the modular exponentiation, and our security analysis is based on ECC; the second is that our analysis result of the various games is just a rough estimate. Theorem 1. Assume that P represents the proposed scheme for mobile cloud computing, D is a password space and its frequency distribution follows the Zipf 's law, A is a probabilistic polynomial-time (PPT) adversary, and he/she makes maximum queries of Send oracle with execution time t, V P,D (A) denotes the adversary A in breaking AKE security of P. Under the difficult assumption of CDH problem, if the one-way hash function behaves like a random oracle and the signature scheme in P is unforgeable against adaptive chosen message attacks, then

where C' and s' are the Zipf parameters, l is the security parameter, and (⋅) is a negligible function.
Proof. We prove this theorem with a series of games Gm i (i=0,1,2,3,4,5,6). In each Gm i , the adversary will guess a correct bit with the Test query and this event is denoted as and the corresponding probability is Pr[ ].
Gm 0 : This game is considered as the real attack scenario under random oracle model. According to the definition of A's advantage [43], we have (2) Gm 1 : This game simulates the hash function h(⋅) by maintaining a hash list ℎ with respect to our scheme P. We also simulate Send, Test, Execute, Reveal, and Corrupt queries as the real player's behavior. We can see that the hash function can be modeled in PPT time and this game is indistinguishable from Gm 0 . Thus, we have Gm 2 : In this game, we rule out sessions in which the collisions of random oracle queries occur during the simulation of hash function and transcripts { , 1 , 2 , Y, 3 , and 4 }. If the collisions occur, we abort the game and let the adversary win. According to the birthday paradox, we have Gm 3 : In this game, we modify the simulation rules of session through Execute queries. We use the private hash function h'(⋅) instead of h(⋅) to calculate the session key in passive session. Furthermore, when computing the session key and the authenticator 3 , the Diffie-Hellman key (=r X 1 ) and (=r Y) are removed from the input list, i.e., the session key SK= h'(ID ||ID || 2 ||Y) and authenticator collisions of hash function and the transcripts. Thus, the adversary is capable of distinguishing Gm 3 and Gm 2 only if he/she can calculate the Diffie-Hellman key or in passive session and sends a query (ID ,ID , 2 ,Y, ) to h(⋅). However, breaking the CDH problem is computationally hard. To a CDH instance (X,Y), we use the self-reducibility [44] of CDH problem to embed this instance to the passive sessions. To do that, we select random numbers 1 , 2 , 1 , and 2 ∈ * for each session and set U=a 1 X+b 1 P and V=a 2 Y+b 2 P. If the adversary is able to distinguish the game Gm 3 and Gm 2 , a query (ID ,ID , 2 ,Y, ) is made to the hash oracle. This means that the adversary can compute (K-a 1 b 2 Xa 2 b 1 Y-b 1 b 2 P)/a 1 a 2 as an answer to the CDH instance (X,Y). Under the difficulty of CDH problem, we have Gm 4 : In this game, we start to handle the active session for Send (CS,{ 4 }) query. And we define the game with the following rule, where the adversary may have computed the correct to impersonate the mobile client MC . The rule of the participants process queries is modified as follows.
Compute M 4 '=h(ID ||ID || 2 || || m-s ) and check whether M 4 ' is equal to the received 4 . If it is true, the cloud server CS looks up a record ((PID , 1 , 2 ),(Y, 3 ),( 4 )) from the hash list ℎ . We terminate the game if the record exists. The authenticator 4 in the proposed scheme is unforgeable due to the hardness of CDH problem. Thus, we have Gm 5 : In this game, we continue to the active session for Send(MC ,{Y, 3 }). We also define this game by terminating the game with the following rule, where the adversary is luck to guess to impersonate the cloud server CS without asking the hash query h(⋅). To achieve this goal, the rule of the participants process the queries is modified as follows.
Look up a record ( * ||ID || * || ) in the hash list ℎ , and we terminate the game if the result is null. Otherwise, compute the session key SK=h(ID ||ID || 2 || || ), 3 The adversary wins only if is correctly guessed without asking h(⋅). Similar to the previous game, we obtain Gm 6 : In this game, we modify the simulation rule of Send(CS, {PID , 1 , 2 }) query for the last time. When a Send(CS, {PID , 1 , 2 }) query is submitted, the CS first computes 2 , 3 ,ID , 1 ,M 2 ' , and checks whether M 2 ' = 2 holds. If the result is true and the message {PID , 1 , 2 } is forged by the adversary, we abort the simulation and let A win. Afterwards, we evaluate the success probability of forging the message {PID , 1 , 2 }. Note that the authenticator 8 Wireless Communications and Mobile Computing forgery of message {PID , 1 , 2 } is negligible. Thus, we obtain In the last game, the session keys are chosen randomly and the advantage of A in guessing session keys is negligible and the active sessions are aborted without accepting if A forges the message. The only possibility for A to win the game is to corrupt the smartcard and guess the password of MC . The advantage A has no advantage to get the password from the game. Based on the Zipf 's law, we obtain According to (2)-(9), we have the result of Theorem 1.
Theorem 2. Assume that P represents the proposed scheme and A is a PPT adversary breaking the anonymity of P. The advantage of A in breaking the anonymity of P is bounded by Proof. We suppose that A can break the anonymity of P with a nonnegligible advantage. We reach this aim by employing A to develop an algorithm to break the CDH problem with the identical nonnegligible advantage.
Algorithm 3. Select , ∈ * , input two tuples (P, r P, sP, r sP) and (P, r P, sP, r), where s is the private key of CS.
(1) Let be a valid user owning his smartcard and password.
(2) Let U1 =r P, U2 =r sP, and execute the subsequent procedure with CS as the protocol definition. We use as the session identifier of this protocol execution.
(3) Let U1 =r P, U2 =r, and execute the subsequent procedure with CS as the protocol definition. The corresponding session identifier of this protocol execution is labelled as . CS may respond with rejection according to the first message from user . In this case, to make and have the same structure, U can set ∈ * and chooses two random bit strings for 3 and 4 , respectively.
(4) Select r ' ∈ * , let U1 =r 'P and U2 =r =r 'sP, and execute the subsequent procedure with the server CS using U1 , U2 . In this case, the session identifier is denoted as . (5) Two queries TestAnonymity( , ) and Test-Anonymity( , ) are made by A, and the returned bits are denoted as 1 and 2 , respectively.

Comparison on Efficiency and Security
In this Section, we compare our protocol with other related competitive protocols such as Qu-Tan [22], Farash-Attari [26], Chaudhry et al. [27], Xie et al. [28], Chaudhry et al. [24], Lu et al. [29], Chang et al. [25], and Kumari et al. [30] in terms of computation cost and communication overhead and security during the authentication phase. The registration is a onetime process, so we have not taken it into consideration.
Here we set and as the order of the super singular curve or nonsupersingular curve over a finite field is 512 bits and 160 bits, respectively. For the convenience of evaluating computation cost, we set , , , as the time of performing a one-way hash function, the time of performing a scalar multiplication operation of point, the time of performing an addition operation of point, and the time of performing a 160 bits modular inversion, respectively. The time of performing an exclusive-or operation (XOR) and a concatenate operation are much less than a hash function [45], so their times are negligible. Combined with the analysis above, the specific performing time of these operations is shown in Table 1 based on experimental data [46]. Furthermore, we set as the length of identity with 32 bits, as the length of a Point with 1024 bits, ℎ as the length of a one-way hash value with 160 bits, and as the length of a timestamp with 32 bits, respectively.

Comparison of Computation
Cost. The comparison of computation cost between the proposed scheme and the related schemes is shown in Table 2.
According to Table 2, we can learn that the computation cost of our scheme in the mobile client is 0.497 s, which is just slightly higher than [28], while it is much less than the others [22, 24-27, 29, 30]. Meanwhile, the computation cost of our scheme in the server side is 3.616 ms, which is almost the same as [24,28,29] and is much less than [22,[25][26][27]30]. It is evident that our scheme is still efficient as compared with other related schemes, whether in client side or in server side. To make the comparison more clearly, the comparison graph of computation cost is shown in Figure 4.     Table 3 compares the communication overhead of the proposed scheme with other related schemes.

Comparison of Communication Overhead.
From Table 3, we can see that the message size of the proposed scheme is 2688 bits, which manifests that our scheme outperforms the related schemes except for [26,28]. We can also see that the number of total messages in the authentication phase of schemes participating in comparison can be divided into two classes, the number of which is 2 and 3, respectively. The number of total messages in our scheme is 3. Although schemes [25,27] can complete their authentication process with 2 messages, these 2-message protocols have the significant security weakness of failing to achieve perfect forward secrecy as pointed out by Krawczyk [47]. In brief, the comparison result demonstrates that the communication overhead of our scheme is acceptable.
The comparison of communication overhead is shown in Figure 5.

Comparison of Security
Properties. Finally, we make a comparison of security properties between our scheme and other related schemes in light of the evaluation metrics, and the result is given in Table 4.
From Table 4, we can see that the proposed scheme can achieve more security properties than the other related schemes, such as user anonymity and untraceability which should not be overlooked in privacy-preserving, and it is more effectively satisfied with the urgent security requirement of mobile users when their sensitive data was transmitted over the wireless network. The other schemes are more and less vulnerable to some security weaknesses, such that schemes in [22,24,25,27,29] are vulnerable to smartcard loss attack, schemes in [25,28] fail to provide user anonymity, and schemes in [24,25,27,30] cannot provide forward secrecy. Thus, it is clear that the proposed scheme can provide better protection for the mobile client in MCC.
In summary, from the three comparisons above, we can draw a conclusion that the proposed scheme is not only more powerful and efficient in computation cost and communication overhead but also is more secure in withstanding various known attacks than other related schemes.

Conclusion
In this paper, we have proposed a new anonymous twofactor user authentication and key agreement protocol on ECC for mobile cloud computing. The design of the proposed scheme exploits fuzzy verifier technique to prevent offline identity and password dictionary attack. Furthermore, the reasonable use of ECC makes this scheme efficient for mobile devices that are computing capability limited and energy limited with privacy-preserving property. The formal security analysis on random oracle model reveals that the proposed scheme is provably secure under ECDL problem and CDH problem. Furthermore, the comparison of performance and security shows that the proposed scheme is more efficient and secure than the related works. We believe that this proposal is practical for mobile cloud computing.